PROFILINGHACKERS' SKILL LEVEL BY STATISTICALLY CORRELATING THE RELATIONSHIPBETWEEN TCP CONNECTIONS AND SNORT ALERTS

Khiem Lam

Challenges to Troubleshooting Compromised Network

Time consuming to find vulnerabilities Difficult to determine planted exploits Uncertain of the degree of damage

Motivation for Profiling Hackers Can profiling the attacker’s skill level

assist with risk management? Understand the level of threat Know the possibilities of vulnerabilities Reduce time and resource to investigate

the “what if” scenarios

Approach - Hypothesis of Skilled Attacker’s Behavior

Avoid IDS detection if they know the rule set in advance

Avoid common techniques to reduce chances of detection

Establishes many short connections If these hypothesis are true, then there

must be patterns to group attackers based on their behavior!

Exploratory Approach

Data Acquisition/Separation

Data Standardization/Formatting

Cluster Analysis

Phase 1 – Data Acquisition/Separation

Competition Snort Alerts

Logs

Updated Snort Alerts Logs

TCP Connection Data IDS Alerts Data

Competition PCAP Captures

Team A’s

Pcap

Team B’s

Pcap

Team AConnection Info

Team BConnection Info

Snort Applicatio

n

Phase 2 – Data Standardization

Team AConnection Info

Updated Snort Alerts Logs

Data Aggregation using R Statistical Tool

Competition Snort Alerts

Logs

CSV Format

Team A’s Aggregated Data by Time Period

Phase 2 – Example of Actual Aggregated Data

This is the aggregated data for two teams connecting to one service

Results – Graph of the Aggregated Data

Phase 3 – Cluster Analysis Using R

• Find correlation between attributes

• Add weights

Team A’s Aggregated Data by Time Period

Team B’s Aggregated Data

byTime Period

Team C’s Aggregated Data by Time Period

Cluster Data Euclidean

Distance

Cluster Analysis

Results + Graphs

Phase 3 - Example of Actual Cluster Data

This is the cluster data of all teams connecting to one service

Results – Euclidean Cluster Graph

Team # flags submitted

3 51

4 40

8 29

2 28

6 8

9 7

10 7

7 2

1 0

5 0

Results – K-Mean Cluster

K-Mean Cluster PlotTeam # flags

submitted

3 51

4 40

8 29

2 28

6 8

9 7

10 7

7 2

1 0

5 0

Limitations of Current Approach Rely on competition data (time period,

team subnet info) Assume attackers know of competition

alerts in advance Assume submitted flags is reliable

criteria to measure attacker’s skills Inconsistency between different services

Future Work for Improvement Experiment with varying time period (5

minutes, 15 minutes, 30 minutes) Increase updated alert rules to capture

more events Add additional features (Andrew and

Nikunj’s TCP stream distance) Weigh the correlation between attributes Explore other R’s analysis

Questions?