SCEADAN Systematic Classification Engine for Advanced Data ANalysis



Similar documents
SCEADAN Systematic Classification Engine for Advanced Data ANalysis

Insider Threat Detection

DETECTING THREATENING INSIDERS WITH LIGHTWEIGHT MEDIA FORENSICS

Personal Security Practices of the CAO

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

A Review on Network Intrusion Detection System Using Open Source Snort

Firewall Testing Methodology W H I T E P A P E R

Clavister InSight TM. Protecting Values

Step into the Future: HTML5 and its Impact on SSL VPNs

Firewalls & Intrusion Detection

IDS / IPS. James E. Thiel S.W.A.T.

RIA SECURITY TECHNOLOGY

Presenting Mongoose A New Approach to Traffic Capture (patent pending) presented by Ron McLeod and Ashraf Abu Sharekh January 2013

KEITH LEHNERT AND ERIC FRIEDRICH

Tk20 Network Infrastructure

Anti-Spam Filter Based on Naïve Bayes, SVM, and KNN model

Network Based Intrusion Detection Using Honey pot Deception

Firewalls Overview and Best Practices. White Paper

SIPAC. Signals and Data Identification, Processing, Analysis, and Classification

Network- vs. Host-based Intrusion Detection

Suricata IDS. What is it and how to enable it

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Are Second Generation Firewalls Good for Industrial Control Systems?

BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation

Using Remote Desktop Clients

Sophistication of attacks will keep improving, especially APT and zero-day exploits

How To Protect Your Network From Attack From A Virus And Attack From Your Network (D-Link)

Observation and Findings

MEASURING WORKLOAD PERFORMANCE IS THE INFRASTRUCTURE A PROBLEM?

CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

Next Generation IPS and Reputation Services

An Oracle White Paper July Oracle Primavera Contract Management, Business Intelligence Publisher Edition-Sizing Guide

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

NetDefend Firewall UTM Services

CUTTING THROUGH THE HYPE: WHAT IS TRUE NEXT GENERATION SECURITY?

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

An Oracle White Paper September Advanced Java Diagnostics and Monitoring Without Performance Overhead

Streamlined Malware Incident Response with EnCase

SecureDoc Disk Encryption Cryptographic Engine

Secure Cloud-Ready Data Centers Juniper Networks

Application of Data Mining based Malicious Code Detection Techniques for Detecting new Spyware

Network Intrusion Detection Systems. Beyond packet filtering

SANS Top 20 Critical Controls for Effective Cyber Defense

Endpoint Threat Detection without the Pain

Digital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Cyber Innovation and Research Consortium

WhatWorks in Detecting and Blocking Advanced Threats:

Intrusion Defense Firewall

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

IDS Categories. Sensor Types Host-based (HIDS) sensors collect data from hosts for

CHAPTER 1 INTRODUCTION

Agenda , Palo Alto Networks. Confidential and Proprietary.

Nessus and Antivirus. January 31, 2014 (Revision 4)

Unknown threats in Sweden. Study publication August 27, 2014

INTRUSION DETECTION SYSTEMS and Network Security

FleetNet Fleet Manager Quick Reference Guide. FleetNet Fleet Manager Quick Reference Guide

Security Awareness Program Learning Objectives. By Aron Warren Last Update 6/29/2012

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

UNMASKCONTENT: THE CASE STUDY

Guide to Computer Forensics and Investigations, Second Edition

Network Monitoring for Cyber Security

74% 96 Action Items. Compliance

McAfee Server Security

Practical Threat Intelligence. with Bromium LAVA

CSCI 4250/6250 Fall 2015 Computer and Networks Security

Cloud Server. Parallels. Key Features and Benefits. White Paper.

Remote Services. Managing Open Systems with Remote Services

Traffic Monitoring : Experience

my forecasted needs. The constraint of asymmetrical processing was offset two ways. The first was by configuring the SAN and all hosts to utilize

The Sophos Security Heartbeat:

On-Premises DDoS Mitigation for the Enterprise

Attack and Defense Techniques 2

Detecting Threats in Network Security by Analyzing Network Packets using Wireshark

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

High End Information Security Services

Performance Testing Process A Whitepaper

How to Defend Yourself Against Spyware Attack

Intrusion Detection. Jeffrey J.P. Tsai. Imperial College Press. A Machine Learning Approach. Zhenwei Yu. University of Illinois, Chicago, USA

Privacy Scrubber: Means to Obfuscate Personal Data from Benign Application Leakage

Did you know your security solution can help with PCI compliance too?

LoadRunner and Performance Center v11.52 Technical Awareness Webinar Training

Anomaly Management using Complex Event Processing. Bastian Hoßbach and Bernhard Seeger

A Review of Open Source Tools to Detect and Prevent DoS Attack

Cyber Defense Operations Graduate Certificate

COMP3420: Advanced Databases and Data Mining. Classification and prediction: Introduction and Decision Tree Induction

Transcription:

SCEADAN Systematic Classification Engine for Advanced Data ANalysis Nicole Beebe, Ph.D. The University of Texas at San Antonio Dept. of Information Systems & Cyber Security

Caveats Funding sources NPS Grant No. N00244 11 1 0011 NPS Grant No. N00244 13 1 0027 UTSA Provost s Summer Research Mentorship Program Disclaimer Any opinions, findings, and conclusions or recommendations expressed in this publication are those of the author(s) and do not necessarily reflect the views of the Naval Postgraduate School

Data/File Type Determination Challenging on fragments (non-header) and files without accurate signatures/extensions o o o Poor prediction accuracies in large multi-class situations No useful tools available after 10 years of research by field Significant scalability and speed issues

Use Cases Digital forensics Focus investigative efforts (e.g. search hit ranking feature) Triage and disk profiling Fragment identification/isolation, file recovery/reassembly Intrusion detection Overcome signature based obfuscation techniques Anomaly detection Context triggered indication & warning (e.g. payload vs. protocol), as opposed to traffic based, bursty anomaly detection Exfiltration, extrusion detection (profiling)

More Use Cases Firewalls Content based blocking Malware Detection: Content based malware, virus detection Analysis: Mapping binary objects Steganalysis Detecting statistically abnormal file types due to content Isolating stegged data within binary objects

Byte Frequency Distributions n gram Analysis: Unigram = 1 byte 256 features \x00, \x01 \xff Bi gram = 2 bytes 65,536 features \x0000, \x0001, \xffff and there are nonngram features too Images from Amirani et al. (2012)

Tool Developed: Sceadan Naïve statistical classifier Classifies independent of signatures, extension, file system data Uses N gram features Can use complexity based measures Prediction via support vector machines

True Positive Prediction Rates in our Experiments Type Ext Rate % Delimited.csv 100 JSON records.json 100 Base64 encoding.b64 100 Base85 encoding.a85 100 Hex encoding.urlenc 100 Postscript.ps 100 Log files.log 99 CSS.css 99 Plain text.text,.txt 98 XML.xml 98 FS-EXT.ext3 97 Java Source Code.java 97 JavaScript code.js 95 Bi-tonal images.tif,.tiff 95 HTML.html 91 GIF.gif 86 MS-XLS.xls 84 MP3.mp3 84 Bitmap.bmp 83 AVI.avi 78 JPG.jpg 76 BZ2.bz2 72 H264.mp4 72 FS-NTFS.ntfs 71 Type Ext Rate % AAC.m4a 69 MS-DOCX.docx 62 WMV.wmv 59 PDF.pdf 54 MS-DOC.doc 53 MS-XLSX.xlsx 50 FLV.flv,.FLV 44 ZLIB DEFLATE.gz 29 Portable Network Graphic.png 28 FS-FAT.fat 25 MS-PPTX.pptx 21 ZLIB - DEFLATE.zip 20 MS-PPT.ppt 14 ENCRYPTED N/A 13 Average Sceadan prediction accuracy: 71.5% (NOTE: Later modeling netted 73.5% accuracy) Random chance classification: 1/40 = 2.5% Train/Test: 60%:40% (million fragment sample)

Sceadan Performance Relative to Others 100% 90% Higher Accuracy But Few Classes Prediction Accuracy 80% 70% 60% 50% 40% 30% Typical Accuracy Degradation As Multi-Class Challenge Increases Sceadan v1.0 73.5% Accuracy* 40 Classes NOTE: 9 lowest performing types are significantly under-researched classes (e.g. Office2010, FS data) 20% 10% 0% 0 5 10 15 20 25 30 35 40 Number of Classes Predicted by Classifier *Additional model training has improved classifier accuracy from 71.5% to 73.5%

Latest Sceadan developments (2014) Autotools integration Ability to write LibSVM compliant vectors to output Model building capability Some model tuning automaticity still being integrated Significant speed improvements From ~ 1sec per prediction to 100X faster Due to multi threading, in memory/compiled in model Sub block classification capability

Miscellaneous Copyright: University of Texas at San Antonio License: GPLv2 Written in C Linux CLI based To obtain: github.com/nbeebe/sceadan

On going and Future Development Plans scan_sceadan plugin in bulk_extractor Hierarchical model based classification Reduced feature set support for fast file type ID Integration of statistical and semantic classifiers Network protocol support

Nicole.Beebe@utsa.edu (210) 458 8040 (210) 269 5647 (Cell) COMMENTS / QUESTIONS?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information