Upload
oswald-poole
View
214
Download
1
Embed Size (px)
Citation preview
PROFILINGHACKERS' SKILL LEVEL BY STATISTICALLY CORRELATING THE RELATIONSHIPBETWEEN TCP CONNECTIONS AND SNORT ALERTS
Khiem Lam
Challenges to Troubleshooting Compromised Network
Time consuming to find vulnerabilities Difficult to determine planted exploits Uncertain of the degree of damage
Motivation for Profiling Hackers Can profiling the attacker’s skill level
assist with risk management? Understand the level of threat Know the possibilities of vulnerabilities Reduce time and resource to investigate
the “what if” scenarios
Approach - Hypothesis of Skilled Attacker’s Behavior
Avoid IDS detection if they know the rule set in advance
Avoid common techniques to reduce chances of detection
Establishes many short connections If these hypothesis are true, then there
must be patterns to group attackers based on their behavior!
Exploratory Approach
Data Acquisition/Separation
Data Standardization/Formatting
Cluster Analysis
Phase 1 – Data Acquisition/Separation
Competition Snort Alerts
Logs
Updated Snort Alerts Logs
TCP Connection Data IDS Alerts Data
Competition PCAP Captures
Team A’s
Pcap
Team B’s
Pcap
Team AConnection Info
Team BConnection Info
Snort Applicatio
n
Phase 2 – Data Standardization
Team AConnection Info
Updated Snort Alerts Logs
Data Aggregation using R Statistical Tool
Competition Snort Alerts
Logs
CSV Format
Team A’s Aggregated Data by Time Period
Phase 2 – Example of Actual Aggregated Data
This is the aggregated data for two teams connecting to one service
Results – Graph of the Aggregated Data
Phase 3 – Cluster Analysis Using R
• Find correlation between attributes
• Add weights
Team A’s Aggregated Data by Time Period
Team B’s Aggregated Data
byTime Period
Team C’s Aggregated Data by Time Period
Cluster Data Euclidean
Distance
Cluster Analysis
Results + Graphs
Phase 3 - Example of Actual Cluster Data
This is the cluster data of all teams connecting to one service
Results – Euclidean Cluster Graph
Team # flags submitted
3 51
4 40
8 29
2 28
6 8
9 7
10 7
7 2
1 0
5 0
Results – K-Mean Cluster
K-Mean Cluster PlotTeam # flags
submitted
3 51
4 40
8 29
2 28
6 8
9 7
10 7
7 2
1 0
5 0
Limitations of Current Approach Rely on competition data (time period,
team subnet info) Assume attackers know of competition
alerts in advance Assume submitted flags is reliable
criteria to measure attacker’s skills Inconsistency between different services
Future Work for Improvement Experiment with varying time period (5
minutes, 15 minutes, 30 minutes) Increase updated alert rules to capture
more events Add additional features (Andrew and
Nikunj’s TCP stream distance) Weigh the correlation between attributes Explore other R’s analysis
Questions?