Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
How to detect APTs?
Analyze traffic content#Attributes #Protocols
1
5-20 2 (TCP/IP)
none
50-200/protocol
≥ 3
How to obtain this data?
Byte Analysis
Flow Analysis
Semantic Analysis
1.000 events/sec?
Interactive Visualization of Event Logs for Cybersecurity
The uglyFalse alarm
The goodEvents
The badoutliers/Anomalies
1.000 alerts/day?
Anomalies:• Point• Contextual• Collective A B A B A
Shape:
Color:
B A
A
B
A
B
A
BA
B
B
User 1:
User 2:© Eventpad 2017
Anomaly Detection
Anomalies:• Point• Contextual• Collective
A B A B C B A
A B C
Knowledge:
=
© Eventpad 2017
Anomaly Detection
Artificial Intelligence is not a silver bullet
https://overons.kpn/en/news/2019/kpn-publishes-sixth-edition-of-the-european-cyber-security-perspectives
Patterns and anomalies: Reality vs. Expectation
e.g., Fraud detection, Security breache.g., Workflow optimization
Data Visualization: Not Just Static Images
Contextual anomalies
Point anomalies Collective anomalies
Data-driven• What does the data want to be?
Alert-driven• What does machine learning say?
Knowledge-driven• Define what you know – Discover
the unknown
Different Strategies
DIFFERENT STRATEGIES
• Data-driveno What does the data look like?
• Alert-driveno What does machine learning say?
• Knowledge-driveno Define what you know – Discover
the unknown
DIFFERENT STRATEGIES
• Data-driveno What does the data look like?
• Alert-driveno What does machine learning say?
• Knowledge-driveno Define what you know – Discover
the unknown
• Machine learning is difficult• Time-consuming to setup
• Complex to tune
• Horrible to explain
• We need faster results!
Motivation
Event data
Time Car-id Type Gate-name
00:43 262 4axle Entrance1
01:03 262 4axle General-gate1
01:06 262 4axle Ranger-stop2
01:12 937 4axle General-gate2
01:31 262 Car Entrance3
01:53 937 4axle Entrance2
01:56 937 Car General-gate1
02:03 937 Car Ranger-stop2
02:05 937 Car General-gate2
Event data
Time Car-id Type Gate-name
00:43 262 4axle Entrance1
01:03 262 4axle General-gate1
01:06 262 4axle Ranger-stop2
01:12 937 4axle General-gate2
01:31 262 Car Entrance3
01:53 937 4axle Entrance2
01:56 937 Car General-gate1
02:03 937 Car Ranger-stop2
02:05 937 Car General-gate2
Time Car-id Type Gate-name
00:43 262 4axle Entrance1
01:03 262 4axle General-gate1
01:06 262 4axle Ranger-stop2
01:12 937 4axle General-gate2
01:31 262 Car Entrance3
01:53 937 4axle Entrance2
01:56 937 Car General-gate1
02:03 937 Car Ranger-stop2
02:05 937 Car General-gate2
Sequence analysis
E1 E3E2
E5 E7E6 E8
Sequence (e.g. vehicle travelhistory)
EventE4
E9
Rules:
1.
C
Ent
Ent
Ent
Ent
C Aggregations:
2.
Ent
Ent
C Ent
Selections:
)(*
CEnt Ent
Find:
!
Ent Ent
3.
Why this is cool
14/17
Efficient & Fast• Instant results (colors reveal patterns)• Suitable for Real-time analytics
Plug and play • No complex configuration required, load the
data and start playing!
Feedback loop• Learn from automated methods, automated methods learn from you
www.bramcappers.nl
www.analyzedata.com [email protected]
Prof. dr. Sandro EtalleSecurity [email protected]
Prof. dr. ir. Jack van WijkData Visualization GroupData Science Den [email protected]
• Data analysis starts with understanding
– Human experts are invaluable!
– True value in data does not come for free.
• The solution is never “just A.I.”
– There is no such thing as a “free lunch”
• Its not difficult to find anomalies. The challenge is finding the ones that matter the most
In Summary
Visualizing Cyber Crime
Contact:dr. ir. Bram Cappers [email protected]
“Finding anomalies is not difficult, Finding the one that matter is the challenge”