c ontext o f n etwork t raffic a lerts Bram CM Cappers Jarke J van Wijk bcmcapperstuenl jjvwijktuenl 1 Advanced Persistent Threats Infiltration Expansion Sabotage ID: 623239
Download Presentation The PPT/PDF document "Understanding the" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Understanding the context of network traffic alerts
Bram C.M. Cappers Jarke J. van Wijkb.c.m.cappers@tue.nl j.j.v.wijk@tue.nl
1Slide2
Advanced Persistent ThreatsInfiltrationExpansion
Sabotage
2
of 23Slide3
Advanced Persistent Threats
InfiltrationExpansion
Sabotage
3
of 23Slide4
Advanced Persistent Threats
InfiltrationExpansion
Sabotage
4
of 23Slide5
Advanced Persistent Threats
InfiltrationExpansion
SabotageEspionage
5
of 23Slide6
Infiltration
Expansion
Sabotage
EspionageDisrupting services
Advanced Persistent Threats
6
of 23Slide7
PCAP
Wireshark Protocol Analyzer
Multivariate data
Data
7
of 23Slide8
Overview8 of 23
Attributes
Messages
+Alerts
Conversations
SelectionsSlide9
ExplorationAlerts
MessagesAttributes
What?
When?
Where?
Time
#Messages
ip.src
= 192.168.0.1
file =
EvilText.txt
a
ction =
create
9
of 23Slide10
Exploration
AlertsMessagesAttributes
What?
When?
Where?
ip.src
= 192.168.0.1
file =
EvilText.txt
a
ction =
create
?
10
of 23Slide11
CoNTAAlertsMessagesAttributes
Time
#Messages
11
of 23
?
MessagesSlide12
CoNTAAlertsMessagesAttributes
Time
#Messages
12
of 23
MessagesSlide13
ContextOpenValve192.168.0.1
192.168.0.2
Reada.txt
Close Valve
Close
Valve
Read
b.txt
Open
Valve
Close
Valve
Read
a.txt
Read
a.txt
Read
b.txt
Read
a.txt
Close
Valve
Open
Valve
Close Valve
Open
Valve
Close Valve
Close
Valve
13
of 23
How about other attributes?Slide14
Context
Ax
A
y
time
A
j
m
1
m
2
m
3
1.
2.
3.
14
of 23Slide15
#alerts(what)x3
Wed
x2
Tue
x
1
Mon
Context - Profiling
y
1
y
2
y
3
A
j
time
A
j
time
A
j
time
A
j
time
A
j
time
A
j
time
A
j
time
A
j
time
A
j
time
1.
2.
m
1
m
2
m
3
3.
A
x
A
y
15
of 23
day
(when)
user
(where)
A
B
CSlide16
Context - Conversations16 of 23#1#2
Reada.txt
Read
b.txt
Read
a.txt
Open
Valve
Close Valve
Open
Valve
Close Valve
Close
Valve
Open
Valve
Close Valve
Read
a.txt
Read
b.txt
Open
Valve
Read
a.txt
Close Valve
Close
Valve
Read
b.txt
Open
Valve
Close
Valve
Read
a.txtSlide17
AlertsMessagesAttributesAttributes
3121
0
Frame.time_epoch
12
883
0
Frame.time_epoch
12
1785
0
Mbtcp.register_uint16
6
400
0
Mbtcp.register_uint16
6
#Messages - All traffic
#Messages - Malicious
8000
0
Frame.protocols
3
528
0
Frame.protocols
3
17
of 23Slide18
#Messages - MaliciousAlertsMessagesAttributes
Attributes
400
0
6
1785
0
3121
0
883
0
528
0
8000
0
#Alerts
Mbtcp.register_uint16
Frame.time_epoch
Frame.time_epoch
Frame.protocols
Frame.protocols
6
#Messages - All traffic
Mbtcp.register_uint16
12
12
3
3
18
of 23
SMB2Slide19
Combining Results19 of 23Attributes
Profiles
Conversations
Context
Context
Conversations
Profiles
AttributesSlide20
Demo
open
overflow
close
20
of 23Slide21
Conclusions & Future Work
How does the approach scale in larger environments
?
WE
NEED DATA!
21
of 23
Strengths
Dynamic exploration, visual querying
Save intermediate results
Enrich data with new attributes
Expressive through
interaction
Weaknesses
Familiarity over scalabilitySlide22
StrengthsBoth sequential exploration and multivariate analysisDynamic exploration, visual queryingSave intermediate resultsEnrich data with new attributesExpressive through interaction
22
of 23Slide23
Alerts
MessagesAttributesCombining Results
6
400
0
Mbtcp.register_uint16
6
1785
0
Mbtcp.register_uint16
23
of 23Slide24
Thanks for your attention!
24
of 23
More Info:
www.bramcappers.nl
Industrial Partners:
Project:Slide25
Weaknesses & Future Work
How does the approach scale in larger environments
?
WE NEED
DATA!
25
of 23
Visualizations
Familiarity over scalability
Attribute widgets
Limited correlation discovery
Real-time capabilities?