The Network Behavior of Targeted Attacks

Video in TIB AV-Portal: The Network Behavior of Targeted Attacks


Purchase DVD

Formal Metadata

The Network Behavior of Targeted Attacks
Models for Malware Identification and Detection
Alternative Title
The Stratosphere project
Title of Series
Part Number
Number of Parts
CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
The network patterns of Targeted Attacks are very different from usual malware because of the different goals of the attackers. Therefore, it is difficult to detect targeted attacks looking for DNS anomalies, DGA traffic or HTTP patterns. However, our analysis of targeted attacks reveals novel patterns in their network communication. These patterns were incorporated into our Stratosphere IPS in order to model, identify and detect the traffic of targeted attacks. With this knowledge it is possible to alert attacks in the network within a short time, independently of the malware used. The Stratosphere project analyzes the inherent patterns of malware actions in the network using Machine Learning. It uses Markov Chain's algorithms to find patterns that are independent of static features. These patterns are used to build behavioral models of malware actions that are later used to detect similar traffic in the network. The tool and datasets are freely published.

Related Material

Domain name Divisor Scientific modelling Multiplication sign Source code Motion capture Coma Berenices Mereology IP address Field (computer science) Software bug Machine learning Computer network System identification Monster group Position operator Vulnerability (computing) Fingerprint Product (category theory) Information Cellular automaton Forcing (mathematics) Scientific modelling Mathematical analysis Bit Price index Line (geometry) Antivirus software Category of being Word Arithmetic mean Malware Computer animation Integrated development environment Personal digital assistant Logic Universe (mathematics) Computer network Volumenvisualisierung Normal (geometry) Right angle Pattern language Data type Active contour model Thomas Bayes
Complex (psychology) State of matter Direction (geometry) Scientific modelling Multiplication sign Sphere Information privacy Disk read-and-write head Weight Mereology Web 2.0 Summation Medical imaging Mathematics Computer network Core dump Formal verification Videoconferencing Pattern language Arrow of time System identification Error message Area Service (economics) Email Stem cell factor Scientific modelling Open source Fitness function Bit Mereology Variable (mathematics) Connected space Malware Self-organization Website Right angle Data type Resultant Point (geometry) Geometry Web page Dataflow Domain name Server (computing) Service (economics) Civil engineering Real number Virtual machine Computer Computer-integrated manufacturing Field (computer science) Open set Smith chart Number Inclusion map Internetworking Software Representation (politics) Software testing Associative property Fingerprint Information Surface Prisoner's dilemma Projective plane State of matter Voltmeter System call Local Group Symbol table Table (information) Word Computer animation Integrated development environment Personal digital assistant Computer network Universe (mathematics) Vertex (graph theory) Iteration Game theory Pressure
Computer Scientific modelling Archaeological field survey Line (geometry) Law of large numbers Computer Connected space Frequency Direct numerical simulation Malware Computer animation Lattice (order) Natural number Computer network Right angle System identification
Web page Dataflow Game controller Multiplication sign Scientific modelling Real number Information privacy Computer Web service Computer network System identification Error message Task (computing) Structural load Moment (mathematics) Scientific modelling Line (geometry) Law of large numbers Connected space Flow separation Malware Data storage device Right angle Pattern language Data type Active contour model
Axiom of choice Group action State of matter Model theory Multiplication sign Scientific modelling View (database) Archaeological field survey Markov chain 1 (number) Survival analysis Real-time operating system Coma Berenices Mereology IP address Chaining Medical imaging Mathematics Matrix (mathematics) Synchronization Computer network Negative number Ranking Diagram Software framework System identification Error message Descriptive statistics Position operator Area Moment (mathematics) Scientific modelling Nominal number Staff (military) Bit Price index Law of large numbers Measurement Connected space Malware Lattice (order) Order (biology) Normal (geometry) Website Quantum Hill differential equation Right angle Whiteboard Data type Point (geometry) Web page Dataflow Game controller Vapor barrier Presentation of a group Virtual machine Distance Computer Workstation Frequency Energy level Boundary value problem Software testing Associative property Subtraction Pairwise comparison Computer State of matter Analytic set Exploit (computer security) System call Wave packet Computer animation Personal digital assistant Computer network Interpreter (computing) Gravitation Active contour model
Metropolitan area network Focus (optics) Presentation of a group Twin prime Sine Model theory Scientific modelling Scientific modelling Iterated function system Law of large numbers Maxima and minima Similarity (geometry) Chaining Malware Punched tape Computer animation Estimation Computer network Database Right angle System identification
Read-only memory Musical ensemble Game controller Server (computing) Statistics Differential (mechanical device) Scientific modelling Multiplication sign Decision theory 1 (number) Mereology Computer Thresholding (image processing) Wave packet Direct numerical simulation Machine learning Mathematics Bit rate Internetworking Computer network Formal verification System identification Position operator Information Scientific modelling Mathematical analysis Set (mathematics) Line (geometry) Frame problem Connected space Word Summation Malware Computer animation Computer network National Institute of Standards and Technology Website Normal (geometry) Video game Right angle Game theory Internetradio Data type Communications protocol Resultant Electric current
hi everyone would go so my name is worse than the CIA and I'm going to talk about the middle of behavioral of targeted attacks in particular we're going to model the traffic to identified on the net work and part of the Persian that it's called the stratosphere ideas for a fact that he's the person I'm working we wait wait a from the of his on here and so we're going to talk a little bit of all how we are researching on detecting the smiling the need to work so we are using some machine learning tools and trying to see what's working and what's not working so here in the audience who is working detecting model or any type of involvement in minotaur war was working with the new upstairs there no 1 no no my word addiction of but they have specific some APD attacks someone is focusing on a is I just below there we have someone there OK so actually we are working with a lot of model where involvements but we like to to focus on the for 2 reasons I would speak now all of the 1st reason and later with the 2nd 1 the 1st reason for me that at the unintelligible about GA the adverb has no no they're not that allows the persistence of persistence and that of people and also about that so all weather and I that the goal of the PD is is very specific right so when you're you're being attacked on their someone they know what they want to attack and they know what they want and how to get so this is not the usual model-order it's and also sending t for all the not where or spam or whatever right it's not the money or it's not usually a lot of money out but they're trying to get a very specific information and these making that that's very very difficult to detect light in fact they're not such as advanced tools right what they're doing it's like normality has some some phishing e-mails so model very very simple right remote access to on that it's working right if you know this season a lot of people from Canada their research on this and that and they found out that most of the time they're using very very normal my work and only once they weakness and 0 they are talking maybe decays so usually we are meaning with very simple stuff the primers that it's very difficult to analyze so if you want to analyze all this here this is so close and so if you want to analyze a you can get the my logic and analyze see you can open the binary it's not and doing right I'm not a binary analysis I I like the network traffic so how do you like to know which of the OK I wonder where traffic how do you get network traffic OK I can add an all execute them I will right so I go there I execute the model but what the problem or what it's the difficulty of executing these APP model work in mind and war whites not to the same what what you think they a year I have the real my work by executing a meaning it's connecting right I we I would say that my ways it's running the government countries riding their everything is perfect why why it's not the same than and sees no well 1 human factor in fact is something that I I'm am not the time that this is part of that I am not the target so they're not going to attack me as they are attacking some although time right so it's very important time and be independent to have these traffic because I don't care about the buckets in there I don't care if the bucket is the superior where carries the information of of type I wonder behaviorally here I wonder my work out or say OK now go the document files none at now for that modifies get a screenshot all doing something good the kilos that's what I want I want the here when the and that's why it's so difficult to get this information so when we trent executed the 1st thing we find is the lifetime of the campaign is very short right so if you if you have accepted in the my were like 20 days after it's been their capture in a real environment that same year another line defines the infrastructure of the of the common contours contraception another working nobody's they're listening so the executive is not not so good for us right and so we can modify you rub my word that's what we the the we get some normal my where we modified and we executed or and we attacked ourselves from that is completely horrible that specific because there is no we can URI I can myself I can take you you cannot edit me but we are not the the real players here so we need to get the best traffic we can but if you are analyzing the step of my work these issue OK and so all this is the 1st reason why we are going to war we diluted that's because we like them because they're very Pacific very difficult to detect and they are quite simple but if you want to that be and or imagine that you what you're going to take these and then it OK so all these show you have a talk render OK sorry have I thought he was living at or in the case uh that you can go to a target instead of them so if the agenda that they can be seen in at work right you have solutions in there you have a lot of a lot of so for what you're doing really or I'm not talking about anti-virus stuff right and doing the talking in neural net worth so you're putting some firewood and there are some ideas ideas filtering you start playing with indicators of compromise right you are you are registered in a lot of field so you get all the information in lot of the men's you erase IP addresses your feet is coming out of the way you're blocking blocking blocking filtering logic and also you have the fingerprints so you have smart you cover all the actually bronc it's not with fingerprints wouldn't beautiful language but you're using fingerprints using bayes yields right you're capturing the son you're stopping them and if this is not a working what have well the last the last lactose latest of the tools we have this behavior right anomaly-detection so that people is working on these anomaly detection is nice is like a force toward the center attention source online-only knows what's going on but hey yeah we have some behavior here so what usually anomaly-detection it's working OK cool coherence using some anomaly-detection so for a product then it will no here nor on their own there we have 1 and it's true that they exist and not it it's it's this is working the problem with attention is that for anomaly you need to those now what its normal so you need a norm of 1st and then use for their nominee and hold you know what's normal because we as human beings we actuation of the time our tropical patterns our ideas so that's an issue if you will to network what it's normal is changing all the time so you should adapt again and then you that that someone nominees and then when you have enough money it turns out that an anomaly is not an attack on the something that you shouldn't people working with addiction tend to forget and anomaly similarly is not direct so who is going to say if if these anomalies that out of this so you need people there watching them reviewing and say OK and this is an anomaly no years about this and other attacks so it gets very very complicated and in the end you need people working on that so there's some issues he right they should we have is that 1st the lifetime of the indicators of compromise is unknown so you look some main universities so might be how long are you going to be looking at 1 day 8 1 0 1 1 long OK on is that I'd be in the least of the oversight the nobody knows well somebody was analyzing these but usually it's not information regarding there if you see the analyses some information is there for 3 months and the monsters and all that the main up the value another working in less than 3 days right so why be looking for 3 months so nobody knows how to do this correctly and of course who is very frightened these who always verifying that the domains you go out for blocking are really really many issues was some people I hope I don't know but if you want to reuse but uh that column and you search for www . go . com and you say hey you still don't give me some indicators of that you would find like 5 thousand people saying this is my issues and you would find like 17 cells about health and people say the sees stair normal such entities is confusing right if you have an outer matic tool working with these data you we have a lot of domains that are false positives and you are blocking them so there
were errors and every fications during and no 1 is looking at these right now also so was a have a huge huge amount of information 1 my work and generate those of domains and all bosons of sulfide these last placed fingerprints so you're a real keener developed and other node more more more more everyday and actually you know what you're looking you don't know what you are not looking that that part of the game and also this information is static so long it's not changing it's not evolving it's not adapting that's an issue and finally for that that there's is very very easy to adapt to these emissions right the cost of adapting it's not so much change in the haven't like domain again reduced their cellphones right so don't care actually they usually get that there's these they don't appear I remember once in ready to reading and the number of variables that it might work out or i he's saying I have I have an all or something like 100 thousand volts and I can use that I'm sending spam and some user was asking them on a world tour here at however you they're sending them my work and checking that the model was already know them I will respond sending this time you understand it's really rare and which is your best way off sending the span in such a way that and they they say hey don't care ahead if you send the incorrect image that people we know and that we want to be at 0 sorry 1 be able to open your e-mail and a time can you pay for me I send 1 mediums but you don't pay and you pay me as I don't care if it's amazing open or not open or wherever they're making a lot of money and they have a lot of resources so this is an issue most of them and they don't care they just get another domain they about and B that's the deblocking regenerator my work it's they forgot yeah it's costly maybe but it's not impossible right so have this issue here and we anomaly-detection like I told you most of the time is very very difficult to know if it's working right so what are we going to hear what what we are working in the university is in some became Europe method but instead of focusing on anomaly-detection we're focusing on the behavior of the model were traffic so we got to the network and so this is my work I know it's my because I'm analyzing and I want to learn which is the behavioral part of the model and the world and that's what we're going to now so the stratosphere ideas pressure is the core of the of oppression in the university and I can say that it's the university which of about it so you can find online areas these bodies and these are the for the to be hours or main ideas of the pressure the first one is free so for while why we want for suffer here it's not because we love result we don't for support but not because of that is because we know the community is able and we want the community to but if I what we have we we the people checking in northern testing and we need everyone's a head is not working inclusion of these words these is you have errors in here we can make it better we can collaborate with guns and stuff we cannot or stop doing that or something that all surface of is 1 of the more we made the the signal weights and NGOs and civil society organizations so at some point this this at this and other people say that in there so very that the NGO was the non-governmental organizations there in a critical situation because they don't have the resources to buy very complex tool for protection right they cannot buy from very large companies but anyway there being attacked as a very very powerful government so for example they work with a lady 19 that was attacked by China century has a very very powerful country and their attacked the dilemma accompanied with success right was completely successful that and they don't have the resources that be have been monitored people that cannot defend themselves so we are focusing in the type of organizations where they are very very there amazing targets for attackers but they don't know how to do that they don't know how the fact so this is the 2nd pillar of the stratosphere ideas projects that the laser machine learning under be here and models we want to have our research working in in in what we want to have into to these our research to be useful so we want actually due to the network and and we want to work on and this is usually the reason people like this so much right you are doing something something publish papers and other of them and when you're trying eating a real environment yeah maybe it's not working so and the last thing that is the verification we want these to be very very brief I we wanted to try as much as we can to see what what's going on how we are doing is having a it's not having arrows which is why we have this arose so these are the 4 pillars of the start of the year now how are we doing this how are we working with machine learning the traffic so we start with this idea of less-is-more so when we start working in machine learning you can be tend to work with a lot of features and we're going to say on on and I'll use less information this is the 1st to be there that we are going to talk about the 2nd 1 is that these associations we to disassociation to models and I wanna show you now and the 3rd 1 is the verification OK so this means we are analyzing the behavior of the connections not the behavior of the host and not the behavior of the netherworld this means that if you're going to the net work I don't care about the behavior of the 3 thousand holes I care about 1 simple connection and that's why we are able to create these behavior model because if you try to create a human model of a core computer itself it's very complex the user is very complex so we are not doing that the 2nd point is that these associations and that means that the representation of the behavior in the network and how we look at the behavior it's separated from how we detect the behavior OK usually these altogether but we're separating and finally verify them all those with real data we need the real data here so this is more this means that when you connect sorry would you connect to any any other computer and Internet URI hit Europe is the same so you can include Gmail and you are checking e-mails yeah chatting the way you chance the way you Jake Facebook they where you use a web site there where there sorry the way you use your bank account is usually the same all the time and the city's going to identify all your behavior about the right this 2nd is that we broke group of the flows all the fields in the netherworld going to specific service altogether so imagine that you're going geometric web server so we get all the packets and flows that you're sending that bought 80 of Gmail and we say these these your connections and we are going to analyze that and finally sees the connection is composed of several flows we can see that here by the here so in that case in the case of the model and in the case of few when you are using for example any webpage you're going from 1 state to the other like chatting not chatting like downloading stuff know that node and stuff like putting information in a web page not putting value in the picture looking at picture taken in a picture you're going jumping from states to states and that's what we want to model right so each video is going get its own state in our model I wanna give you 1 state for each flow you have and our model for the states it's based on 4 features and these are very simple right we are looking at the size of the flow the direction of the the flow in the body of the city of the flow and the time between flows so I'm not limited to into the privacy because it's quite an issue still to have that information but you can see that this is a very simple right is that why you using these you can have very very amazing features a year and the reason is that we try those amazing features and they're not working there too complex right and when the commodities too complex and then you go and check and if the money's not working you a wife or wars when the model is working and you detecting you know why so at some point is very very difficult to where we got and that's why you have these 4 features the here OK so what we are doing with these features we are creating
the stable horrible table the table is saying OK you got 1 3 all can under fit all has a smaller size and then the duration of their free always and maybe medium and aperiodicity of the fill it is when we compare the city so I would give you a capital b or if the privacy these week uh and your sizes medium iteration along we give a capital letter or you have a weakened 3 of the city or strong number of city so we assigned letters and numbers to each filling the netherworld based on these features again and finally we missing some examples here like it does not call Mount last star and 0 and it indicates the amount of time between the flows because having aperiodicity of 5 minutes is not the same as having a bit the city of 3 days right but it is it is producing about it's completely different behavior so we're trying to get his information here and if the still has its time mile time out of 1 now where we are putting is you will get special symbol there so that we show you how
we can look at the back back come we use our fingers OK so so for
example and natural because look at these and we see you can see that or not it's very few upstairs canoes not completely known from maybe can come we turn down the lights at a meeting here from which right now OK I we walk through we don't worry it's it's horrible anyway so so that so each line here it's a connection it's 1 computer connected to other computers into some specific sport so each electoral here identifies 1 3 all right so here you can see that for example there is a connection to DNS surveys this red letters and I'm sure you can get from there so the use of a dollar bill bill at the class and if you see that is that there is there no periodicity here because the periodicity the pair the city
was between then and there OK and the other time right so if you go to error you're you're not provoke anymore so if you look at these because
they can actually actually these it's not really MDC support 8 people are taking and the 2nd normal connection this enormous computer doing everyday tasks if you look at this a specific connection and you will see that there reason a very strange for my cellphone 131 and you can see some clearly sitting here a tuning the city and this is the story connection so they web service of store when you're the torso these you get something of the city in there right so here you can see that of letters as as you can imagine most of the the connection is just 1 or 2 flows right because it's not my webpage with web page that something that and mention that same year not accessing every webpage 4 hours so let me show where another 1 at the back so I will show you for example this 1 this is the model that it's going through and we will use it later and you can see here that is also connected to a lot of UDP and TCP connections so this is not periodic not periodic at all I'm doing here we have some privacy the article michael michael my age I call my age article might you can see a pattern here right so this spot on this very very few listen to me it's very characteristic of the skull and control right here there's another common control the severity really connection and skidding on going and going and going so this is 1 my going through some this is a real executions so up and the 1 I want to show you for example OK then you refer moment right the through the real execution of neuron moment so we execute we use in our lab and you can see here a lot of connections to port 80 and look at these well this is a common control but this is not really the right and this 1 yes this is below and it is not and this is not political right so numerous different common contour and each command conference having in the front of the heat load but actually we can know that these this type of command and control and these and other type of command and and here yeah it's completely sending and this 1 is these very early and year so the bottom line you can see here also some some amount so this is how the letters looks like it was a really I wanna show you for example for example this 1 come from no no no no no no no you OK so
this 1 is more difficult to see but you know what it means it's the have deleted traffic city traffic from your computers so this is how the computer so here are behaving rank and you can see some people get getting to some were UDP traffic using the draft on most of the people is just connecting the web page and that's see what you can see that there are no barriers the CDs no common China nothing but it's behaving like something that looks money from so this is a very easy way of to look at a lot of traffic periods for litigation right but the 2 is looking at automatically and you can see that OK there's no more land here that looks like a common convergence of some attack or something like that of course we are not trying to detect like a specific attack like going to a web page and exploit and that's the mind that's for that you have anti-virus you have a lot of tools we want to see what's going on in and world we want to see if here you here that's why if you only have a very short time we are not going to get a and actually we can also do it was not for about we want to see when you are being attacked like a deep and your documents I've been ex-you trait for example these we can capture so we use some wanted also OK I will show you the last 1 is viewed than that OK on you will know that so this is what makes this a very very large have choice like 25 days and you can see a lot of traffic here these rights it of traffic but you see a strange stuff I would stop just because it's so you will see strange stuff like 0 0 0 something of the city but then this is not really but then it's very good and it's not again you know of this type of trafficking these these these this use vomit connecting to go so these are all IP addresses as users using global for a lot of staff but you can see if you remember the normal traffic that even when you access goggle your traffic does not look like these so we can differentiate the done between you know my goal connection and someone who are abusing go and he these other the common controls right because you very period extreme extremely here that behavior or even these 1 that these its periodic but we have 9 zeros that means and 9 hours between 2 flows so Suzie sending a flow waiting 9 hours and singing another 1 and we can calculate these right you can see here that part and we can create a model from the so going back to the presentation so once we have this letter what what what's going on with the behaviors here so this model was generating the same behavioral patterns over and over again when it's connecting with a common contour it's the same behavior actually we can see when the common country that down because the my keeps connecting but the behavior is different right so we can distinguish these situations also changing the behavior is very costly for that I can because if you want to connect to point your boards at the same time and you want to be orders at the same time you need some type of synchronization there and if you use the synchronization eats more difficult for you you cannot use all of them at the same time you may be more difficult to make it you was that that right so at some point you can change the fate of the city it's OK we can capture the change but you what you want to connect if you don't want to control and you cannot control evolves so you need a command control any command and control right and that's what it's costly for that OK so all these behavioral does not expire easily of course they infections can go unnoticed for hours so all how much time do we need to wait for a solution in your network you should say when real-time detection real time I want to see the red light they're right very very quickly but actually the computers can be effective for our survey and nominals analytical right so all I knew that it can tell them in a state of the there on team that computer and it's going to take hours so there is no enough time here to capture the behavior we need this should know the walking 1 many times and finally we collect both normal and my wife behavior we won bold we would need to know what's normal and we need to know how normally looks like and then we can implement these so how can implemented station for these type of traffic OK so this is the the 1st 5 to remember that these associations that that is how you look at the models we are not the picture here so far no no funds machine learning so now that we want to implement this for the fiction however we going to do that so the stratosphere perfect no it's implemented 2 models and 2 more on the working I will talk about the first one based their interpretation of the transition from 1 letter to the other letter as a Markov chains OK so how are we doing these OK this is very very easy stuff actually if you have a letter here a coma a coma the less the less the less we are looking at the transition from each letter to the next 1 and this you we model it as a Markov change that means that you have a much of the here that's thing OK so the probability and further to go from that at the to the electorate coma it's 1 or 1 of his on the gravity from common to areas from 5 I like that for everything so we learn this transition probabilities we create a matrix and the matrix can be looked like these this is the same rights doesn't diagram by the OK from going from a to call monochrome images 1 from common to z Each point 5 from C to blast so we can model of how the transitions where in the original modeler OK and 1 we have this transition we create this Markov models of the known behavior so we can look at the use for a long time or new referendum of that and we can capture the smaller these behavior we create the market change that much fix everything we need and have them all right things now that we you have the
small those that I know where they are this is a common uncontroverted sound a common working this is another type of attack now we can get unknown traffic for a from unknown at work and we can try to to compare say OK the question is which is the probability that these traffic was generated with the small that's why we are using michael michael change to say OK well the gravity is actually very very low OK and which is the probability of being detected by the 2nd model all case like that and the the 1 and then we choose said OK from all these small including the normal ones the probability that you were generated by a quantum controller moment each of these 1 so all I would say that you are a common control OK this is how it's been detected idea it's not perfect of course but so far it's working so I want to show you some more stuff so that the 1st thing I show you is how to see the difference between 2 models so that show you want to know who were OK so so we show you the difference between air model are that it's called the use you see various models could views on a my what is called a Volvo an exciting so this 2nd my word-of-mouth bubble was created about some people meetings here in the audience and all the creatures of people doing so thank you very much because of some and you go on to his daughter later because you you will learn a lot of the criticism amazing model and they are trying to see how well the tools detect right so all these amazing for us because it's like something that it's very real and very difficult and very well along so most of the people that is trying to detect that in the computer they're trying to hold but we're going to see however I have here so how we can see the traffic between babble on other the legs use so these detection that we're going to do a little story a computer room I going to show you what happens if we compare the model of boundary with the border all of views and this is a comparison that it's saying OK so the distance between the bubble modeler and this use model is actually is actually very close to 1 here these are the 1st then flows and this means that there are quite senior they behavioral level it's quite similar to 1 of the fear of disease used that if we keep looking at these not inflows but again it's very me 30 flows and we considered here Eurostat to change start to diverge and if we want more flows like 50 fills it's model model friends and 1 1 hundredth girls is small difference so every time we are putting more flows we can see that the behavior between Babylon as the user starts diverging this means that the early behavior of babble on DC use is similar but later on in the network they grow apart so we're trying to use this the user behavior that we know for a long time to detect the bubble traffic in the network so for doing that for doing that and we'll show you and so on and I hope you see something there so I'm going run some experiments in the I didn't get but this is the stratosphere testing framework is 1 of the tools we are having the perfect for experimentation so I'm going to run experiments and say OK we use this use of although and get all the traffic from Bible and then the how you're they then the when you are what right so when you run these don't care about the description when you run these it's saying OK I'm going to separated traffic every time the time slots so like 5 minutes or 10 minutes of the the 15 minutes I in each of these lots I will tell you if the models are much nor not I will tell you OK yeah I detect something or idea in the text something so there we go about him or perhaps forward I mean can see very quick but you can see here that in the 1st the 1st time slot disintegrates starting the pants look here I mean from 0 0 minutes to 5 minutes you can see that there are some IP addresses in the traffic on there are no 1 the labels that means that when I was looking at the traffic there is no indication that the sees in model behavioral yeah it's just some but it's in there also we have them pretty nothing solid there are no detections no known trafficking there nothing happened so far in the 2nd in the 2nd time slot I'm sorry I use the blue to here that it's horrible from a design point of view I'm sorry but we have to be here in these blue restart it says baldness so it means that the bubble my work here it's using the site and we know it's survival using the command control and we would be labeled Baldwinian in there for sure this is about that were my work but we didn't detectives so our model another matching here so in the 1st 2 times that there no detections that's why this type of errors false negative because we we see we didn't capture but in the next time slot that means that 15 minutes later we were able to detect the bubble what led we've then z Use common confirm all so we have a true detection here we have a true positive this means that at this bond demolished much and we were able to capture it we will ever to detect the but if you keep looking the next the next time so that we did and that that it because you remember that I show you that the models were diverging them all that's a bit different from time to time so after some following this is not similar anymore but was not for detection okay so this 1 way that we can experiment with these at the end of the experiment you have what's being detected the knowledge you have all the fancy measures to both the red position on you you can have them all and and then you can see OK these these small enough for picture all we need more so the was an example of using um is
used smaller today for detection of babble they're all the models we try also we use the model called the of the
remember now was called glove broaden its focus on the another involvement that now and
that also was slated to detect bubble and then we can use now the bubble model for the of course if I'm using the above model for detecting bubble it we detected right about that's cheating because I don't know bubbling advanced I should find a bubble then Edward what using which of the 2 have that's why we are using the models are already in the database for detecting the new unknown traffic so I will continue with the presentation yes so we can see that the Sun's region models we can experiment it's OK use all these small those in traffic than you would find especially the the what and when you find and and this this is done by generalizing animals so I was speaking about here about some of the Markov chains models can be generalized in such a way that we are detecting similar traffic not exactly the same traffic right so I will not all
I want to say something here so we have here a here and the verification of usually everybody's Saskia OK and is it working or not it's like if you go to any anti-virus company or any protection company and say hey your approach is working on how the you know I don't know maybe yes maybe not it depends in and out of stuff this no easy answer here the sum of these thing you yeah our approach is working very very amazing I we got a lot because if I change the net work differentiation that if I change the timing if I change the normal people be change country yeah that picture is like have some issues for sure right that's why nothing is working sold so well so for us us it is very important the verification so yeah our among our money's working when with these datasets with these neighbors with these people with these traffic and these way of verifying because you remember I show you the experiment using 5 minutes time slot if you're using pending or using 1 hour the resource completely different if you're using 1 minute is completely different so also means how do you consider a detection successfully for example you have my word in there and you want to say yeah I can detect the what what kind of data can detect the whole traffic can detect each package as many issues as they know well each bucket maybe not OK can each for each connection each IP others what what can you detect so the depends how do you call detections and then you have the final statistics and yeah would have a false positive rate or F-measure of 99 . 9 9 9 9 per cent right so be very careful with the people is giving you this type of results and say yes it's amazing on on it's not working maybe these so we are say depends on the dataset the time frame and the verification method and that's why we are using and we are punishing of reaction that said of my word traffic you can find in there for facial stratosphere ideas built or you can go there and they saw that said you can know the Internet of in neighbors in there you can ask questions ask for new that the sets or whatever because we need these to to be very right and having my where that is it is very very difficult but having normal but as it is far more difficult bonding that said we have about by normal ones who can have a traffic there with the labels that saying yes these these normal so we are doing these things very slowly we are going to any in computer and checking that is normal OK show me the computer yeah you're not afraid that you're not doing something stupid you not the parking or whatever so the OK this is normal traffic so we are refining host by host and that's why solely for them for us this traffic and some finally we want to compare approaches what what other tools are doing with this that said what the detecting what they're not detecting and this is very very important for predicting the performance so I would stop here and I wanna say that had been behavior for us our very very important and we think that this type of work using machine learning and efficient engine on behavior it's going to be there was very good to use in the future so all that seats and that's the way pitch of a depression if you wanna go sorry the people upstairs you know what making stratosphere ideas that or and that's it so any questions of have we DO OK so the question was what traffic like streaming or computer games and this is a very nice question because this is specific to a type of traffic can be very very tricky right for example you have issues with planning protocols BBNs not when you have like 1 thousand computer behind 1 or even with deionized that just this simple model of the NIST imagine these during a computer using DNS traffic right normally because you're normally I whole people doing north south and then you're infected and the traffic of the analysis makes your traffic under my work traffic he's mixing 1 connection also you have 2 different behaviors generating similar mandates under the and it would distinguish so so far or the gaming we song on this training we can differentiate for example our worst enemy I would say is there online music like online radios this type of web sites and generating a pair of that it's very hard to distinguish from all of my work so we have to be very careful with the smaller that's why we are training them on to each model we can put it as a mother some thresholds spheres in a pretty small these very good these mothers not so so when we are using a we know what where to draw the line OK OK on the data with the smaller so much because it's much the false positive for example right and then there's the other part of the question is that in the future what we're going to do is that we're going to get all the behaviors of your computer and we're going to take a decision based on all of them so I don't care if you're doing something money issues where 1 and only if I do also doing something normal I'm idea of doing something like common control like how is the behavior all you computed at the same time so that's there there for differentiating these very we're protocols and by their treaty to sorry and another thing related with this is that when my worst starts starts mimicking their normal behavior of of the people that's why it's very difficult to to detect the the the what our servers known of so far I have to say that if you care about OK the the question is will be in the sense I don't care that people don't care so much mean tag because you have you have a lot of way of stopping . back on the issue that you cannot detect when you walk from their attack successfully and you are sending information and you are communicating so when that that was successful so that's why we want to detect when that that was successful and nobody's detecting non anti-virus modifier will another addiction and you know what and so that's in the place that we want to say OK we can think about right the rest of that that we to firewall or all of that and say here's another question there needs to know the people that memory this lines of western OK thing to worry much and enjoy the rest of the conference


  777 ms - page object


AV-Portal 3.15.0 (0adb9429a9b6d91003da50b8636c932b69ab95bb)