Embed Size (px)
Citation preview
Problem
Advanced Persistent Threats
• Infiltration• Expansion• Sabotage
• Infiltration• Expansion• Sabotage
Advanced Persistent Threats
• Infiltration• Expansion• Sabotage
• Espionage
Advanced Persistent Threats
• Infiltration• Expansion• Sabotage
• Espionage• Disrupting services
Advanced Persistent Threats
How to detect APTs?
Analyze traffic content#Attributes #Protocols
1
5-20 2 (TCP/IP)
none
50-200/protocol
≥ 3
How to obtain this data?
Byte Analysis
Flow Analysis
Semantic Analysis
PCAP Wireshark Protocol Analyzer Multivariate data
The data
PCAP Wireshark Protocol Analyzer Multivariate data
The data
1.000 events/sec?
Interactive Visualization of Event Logs for Cybersecurity
The uglyFalse alarm
The goodEvents
The badoutliers/Anomalies
1.000 alerts/day?
Interactive Visualization of Event Logs for Cybersecurity
?
A A B A A
Anomalies:• Point• Contextual• Collective
© Eventpad 2017
Anomaly Detection
Anomalies:• Point• Contextual• Collective A B A B A
Shape:
Color:
B A
A
B
A
B
A
BA
B
B
User 1:
User 2:© Eventpad 2017
Anomaly Detection
Anomalies:• Point• Contextual• Collective
A B A B C B A
A B C
Knowledge:
=
© Eventpad 2017
Anomaly Detection
Artificial Intelligence is not a silver bullet
https://overons.kpn/en/news/2019/kpn-publishes-sixth-edition-of-the-european-cyber-security-perspectives
Exploiting human cognition
Why do we need visualization?
Incorporating domain knowledge
Patterns and anomalies: Reality vs. Expectation
e.g., Fraud detection, Security breache.g., Workflow optimization
Data Visualization: Not Just Static Images
Contextual anomalies
Point anomalies Collective anomalies
Data-driven• What does the data want to be?
Alert-driven• What does machine learning say?
Knowledge-driven• Define what you know – Discover
the unknown
Different Strategies
Interactive Visualization of Event Logs for Cybersecurity
!
0x00!
Source Bob
Time 00:45
Type
Attribute Ordering
Data-driven
DIFFERENT STRATEGIES
• Data-driveno What does the data look like?
• Alert-driveno What does machine learning say?
• Knowledge-driveno Define what you know – Discover
the unknown
!
Time
!
Bob Alice
4
Interactive Visualization of Event Logs for Cybersecurity
Interactive Visualization of Event Logs for Cybersecurity
Time
#Messages
Man-in-the-middle
25 of 5
AttributesMessages
+Alerts
NetworkOverview
Filtering
DIFFERENT STRATEGIES
• Data-driveno What does the data look like?
• Alert-driveno What does machine learning say?
• Knowledge-driveno Define what you know – Discover
the unknown
• Machine learning is difficult• Time-consuming to setup
• Complex to tune
• Horrible to explain
• We need faster results!
Motivation
!
Alternative Approach
Observe Discover Reverse Engineer
?
Event data
Time Car-id Type Gate-name
00:43 262 4axle Entrance1
01:03 262 4axle General-gate1
01:06 262 4axle Ranger-stop2
01:12 937 4axle General-gate2
01:31 262 Car Entrance3
01:53 937 4axle Entrance2
01:56 937 Car General-gate1
02:03 937 Car Ranger-stop2
02:05 937 Car General-gate2
Event data
Time Car-id Type Gate-name
00:43 262 4axle Entrance1
01:03 262 4axle General-gate1
01:06 262 4axle Ranger-stop2
01:12 937 4axle General-gate2
01:31 262 Car Entrance3
01:53 937 4axle Entrance2
01:56 937 Car General-gate1
02:03 937 Car Ranger-stop2
02:05 937 Car General-gate2
Time Car-id Type Gate-name
00:43 262 4axle Entrance1
01:03 262 4axle General-gate1
01:06 262 4axle Ranger-stop2
01:12 937 4axle General-gate2
01:31 262 Car Entrance3
01:53 937 4axle Entrance2
01:56 937 Car General-gate1
02:03 937 Car Ranger-stop2
02:05 937 Car General-gate2
Sequence analysis
E1 E3E2
E5 E7E6 E8
Sequence (e.g. vehicle travelhistory)
EventE4
E9
Rules:
1.
Aggregations:
2.
Ent Ent
Rules:
1.
C
C
Ent
Ent
Ent
Ent
Ent
Ent
Ent
C Aggregations:
2.
Ent Ent1
2
1
1
1
Rules:
1.
C
Ent
Ent
Ent
Ent
C Aggregations:
2.
Ent
Ent
C Ent
Rules:
1.
C
Ent
Ent
Ent
Ent
C Aggregations:
2.
Ent
Ent
C Ent
Selections:
)(*
CEnt Ent
Find:
!
Ent Ent
3.
Rules:
Call Bye
C
Ent
Ent
Ent
C Ent
C Ent
1.
Aggregations:
2.
Selections:
3.
Ent Ent
Demo
Why this is cool
14/17
Efficient & Fast• Instant results (colors reveal patterns)• Suitable for Real-time analytics
Plug and play • No complex configuration required, load the
data and start playing!
Feedback loop• Learn from automated methods, automated methods learn from you
Illegal dumping in Wildlife Preserve
Ransomware Reverse Engineering (94GB)
© Eventpad 2017
VoIP Fraud detection (40.000.000 events)
Bottlenecks in patient treatments (700.000events)
Een hoop impact
Traction
The End?
Life-cycle of a cyber threat
1 Steal
2 Call
3 +$$ -$$
The next steps
The next steps
The next steps
The next steps
www.bramcappers.nl
www.analyzedata.com [email protected]
Prof. dr. Sandro EtalleSecurity [email protected]
Prof. dr. ir. Jack van WijkData Visualization GroupData Science Den [email protected]
• Data analysis starts with understanding
– Human experts are invaluable!
– True value in data does not come for free.
• The solution is never “just A.I.”
– There is no such thing as a “free lunch”
• Its not difficult to find anomalies. The challenge is finding the ones that matter the most
In Summary
Visualizing Cyber Crime
Contact:dr. ir. Bram Cappers [email protected]
“Finding anomalies is not difficult, Finding the one that matter is the challenge”
See patterns instantly
Prevent Monitor signatures
Eventpad
Explore• Instant detection of (un)desired patterns• Discover unknown patterns with artificial intelligence
Understand• Compare patterns to normal data• Create rules to detect them
Prevent• Monitor your data with specialized rule sets
