Presentation is loading. Please wait.

Presentation is loading. Please wait.

PROFILING HACKERS' SKILL LEVEL BY STATISTICALLY CORRELATING THE RELATIONSHIP BETWEEN TCP CONNECTIONS AND SNORT ALERTS Khiem Lam.

Published byOswald Poole Modified over 9 years ago

Similar presentations

Presentation on theme: "PROFILING HACKERS' SKILL LEVEL BY STATISTICALLY CORRELATING THE RELATIONSHIP BETWEEN TCP CONNECTIONS AND SNORT ALERTS Khiem Lam."— Presentation transcript:

1 PROFILING HACKERS' SKILL LEVEL BY STATISTICALLY CORRELATING THE RELATIONSHIP BETWEEN TCP CONNECTIONS AND SNORT ALERTS Khiem Lam

2 Challenges to Troubleshooting Compromised Network  Time consuming to find vulnerabilities  Difficult to determine planted exploits  Uncertain of the degree of damage

3 Motivation for Profiling Hackers  Can profiling the attacker’s skill level assist with risk management?  Understand the level of threat  Know the possibilities of vulnerabilities  Reduce time and resource to investigate the “what if” scenarios

4 Approach - Hypothesis of Skilled Attacker’s Behavior  Avoid IDS detection if they know the rule set in advance  Avoid common techniques to reduce chances of detection  Establishes many short connections  If these hypothesis are true, then there must be patterns to group attackers based on their behavior!

5 Exploratory Approach Data Acquisition/Separation Data Standardization/Formatting Cluster Analysis

6 Phase 1 – Data Acquisition/Separation Competition Snort Alerts Logs Updated Snort Alerts Logs TCP Connection DataIDS Alerts Data Competition PCAP Captures Team A’s Pcap Team B’s Pcap Team A Connection Info Team B Connection Info Snort Application

7 Phase 2 – Data Standardization Team A Connection Info Updated Snort Alerts Logs Data Aggregation using R Statistical Tool Competition Snort Alerts Logs CSV Format Team A’s Aggregated Data by Time Period

8 Phase 2 – Example of Actual Aggregated Data This is the aggregated data for two teams connecting to one service

9 Results – Graph of the Aggregated Data

10 Phase 3 – Cluster Analysis Using R Find correlation between attributes Add weights Team A’s Aggregated Data by Time Period Team B’s Aggregated Data byTime Period Team C’s Aggregated Data by Time Period Cluster Data Euclidean Distance Cluster Analysis Results + Graphs

11 Phase 3 - Example of Actual Cluster Data This is the cluster data of all teams connecting to one service

12 Results – Euclidean Cluster Graph Team# flags submitted 351 440 829 228 68 97 107 72 10 50

13 Results – K-Mean Cluster K-Mean Cluster Plot Team# flags submitted 351 440 829 228 68 97 107 72 10 50

14 Limitations of Current Approach  Rely on competition data (time period, team subnet info)  Assume attackers know of competition alerts in advance  Assume submitted flags is reliable criteria to measure attacker’s skills  Inconsistency between different services

15 Future Work for Improvement  Experiment with varying time period (5 minutes, 15 minutes, 30 minutes)  Increase updated alert rules to capture more events  Add additional features (Andrew and Nikunj’s TCP stream distance)  Weigh the correlation between attributes  Explore other R’s analysis

16 Questions?

Download ppt "PROFILING HACKERS' SKILL LEVEL BY STATISTICALLY CORRELATING THE RELATIONSHIP BETWEEN TCP CONNECTIONS AND SNORT ALERTS Khiem Lam."

Similar presentations

Cyber-Security: Some Thoughts

Cyber-Security: Some Thoughts
CONTEXT-BASED INTRUSION DETECTION USING SNORT, NESSUS AND BUGTRAQ DATABASES Presented by Frédéric Massicotte Communications Research Centre Canada Department.

CONTEXT-BASED INTRUSION DETECTION USING SNORT, NESSUS AND BUGTRAQ DATABASES Presented by Frédéric Massicotte Communications Research Centre Canada Department.
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA MINING Su Zhang Department of Computing and Information Science Kansas State University 1.

P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA MINING Su Zhang Department of Computing and Information Science Kansas State University 1.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.

1 Host Based Intrusion Detection: Analyzing System Logs Bob Winding, Vikram Ahmed University of Notre Dame 12/13/2006.
Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar 2005-02-0129 Aneela Laeeq 2005-02-0023.

Neural Technology and Fuzzy Systems in Network Security Project Progress 2 Group 2: Omar Ehtisham Anwar Aneela Laeeq
12/6/2010CS 591 - Andrew Bates - UCCS1 Intrusion Detection and Advanced Persistent Threats CS 591 Andrew Bates University of Colorado at Colorado Springs.

12/6/2010CS Andrew Bates - UCCS1 Intrusion Detection and Advanced Persistent Threats CS 591 Andrew Bates University of Colorado at Colorado Springs.
Report on statistical Intrusion Detection systems By Ganesh Godavari.

Report on statistical Intrusion Detection systems By Ganesh Godavari.
National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,
Neural Technology and Fuzzy Systems in Network Security Project Progress Group 2: Omar Ehtisham Anwar 2005-02-0129 Aneela Laeeq 2005-02-0023.

Neural Technology and Fuzzy Systems in Network Security Project Progress Group 2: Omar Ehtisham Anwar Aneela Laeeq
Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.

Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.
Project Description The project basically consists of three main components-Attacker, Defender, and Observer. Our project scenario is the following: A.

Project Description The project basically consists of three main components-Attacker, Defender, and Observer. Our project scenario is the following: A.
The Research Process. Purposes of Research  Exploration gaining some familiarity with a topic, discovering some of its main dimensions, and possibly.

The Research Process. Purposes of Research  Exploration gaining some familiarity with a topic, discovering some of its main dimensions, and possibly.

Similar presentations

Ads by Google