beacon detection in pcap files
play

Beacon detection in PCAP files Supervisor: Sjoerd Peerlkamp[Shell] - PowerPoint PPT Presentation

Sep 14, 2023 •24 likes •224 views

Beacon detection in PCAP files Supervisor: Sjoerd Peerlkamp[Shell] Leendert van Duijn Universiteit van Amsterdam - System and Network Engineering Leendert.vanduijn@os3.nl July 3, 2014 Leendert van Duijn (UvA-SNE) Beacon detection July 3,

  1. Beacon detection in PCAP files Supervisor: Sjoerd Peerlkamp[Shell] Leendert van Duijn Universiteit van Amsterdam - System and Network Engineering Leendert.vanduijn@os3.nl July 3, 2014 Leendert van Duijn (UvA-SNE) Beacon detection July 3, 2014 1 / 18

  2. Beacons What are they? Reoccurring automated messages What can they do? Reveal your location, Leak data, Get Bots configured to do damage Leendert van Duijn (UvA-SNE) Beacon detection July 3, 2014 2 / 18

  3. What sends beacons? Malware polling for instructions Botnet membership maintenance Periodic service checks, Nagios Periodic updates, your favorite software Visual feedback from network services Leendert van Duijn (UvA-SNE) Beacon detection July 3, 2014 3 / 18

  4. Related work ProVeX, deep packet inspection of Malware traffic, Rossow and Dietrich Detecting P2P Malware traffic based on regional periodicity, Qiao et al. Jackstraws, executable code analysis using behavior graphs, Jacob et al. Using host level intrusion detection to detect advanced persistent threats, Liang et al. Leendert van Duijn (UvA-SNE) Beacon detection July 3, 2014 4 / 18

  5. Data sets Sinkholing, reducing Malware impact by redirecting it Multiple days of traffic dumps available Diverse hosts, protocols and realistic data Not truly the native behaviour Leendert van Duijn (UvA-SNE) Beacon detection July 3, 2014 5 / 18

  6. Research questions Can traffic dumps be used to detect beacons produced by Malware? Can detection performance be improved by early classification? Is it possible to differentiate Malware in the presence of legitimate beacons? How can this be used in practice? Leendert van Duijn (UvA-SNE) Beacon detection July 3, 2014 6 / 18

  7. Detecting beacons Obtain a traffic dump with suspected beacon activity Separate packets into several classes of similar or related traffic Identify/prioritize suspect classes using prior knowledge or experience Look for local patterns within individual classes Export traffic per class to investigate with Wireshark Leendert van Duijn (UvA-SNE) Beacon detection July 3, 2014 7 / 18

  8. Classes Focus on relevance Capture anomalies Adjustable Leendert van Duijn (UvA-SNE) Beacon detection July 3, 2014 8 / 18

  9. Classes Focus on relevance Capture anomalies Adjustable Clustering using K means Clustering by tree building Rule based, user configurable classes Leendert van Duijn (UvA-SNE) Beacon detection July 3, 2014 8 / 18

  10. Classifiers Source IP address TCP Destination port Source and destination IP, protocol, length, entropy Leendert van Duijn (UvA-SNE) Beacon detection July 3, 2014 9 / 18

  11. Patterns Localized Generic Performance Leendert van Duijn (UvA-SNE) Beacon detection July 3, 2014 10 / 18

  12. Patterns Localized Generic Performance Histogram, activity over time Frequency analysis Auto correlation Leendert van Duijn (UvA-SNE) Beacon detection July 3, 2014 10 / 18

  13. Sinkhole, what hosts are beaconing? Classifier Source IP Packets 2.4M over 2 days Found classes 421 X axis Auto correlation over 1 window Y axis Sliding window in time from top to bottom Selection From the top 10 in number of packets Figure: Outgoing packets sinkhole, all protocols and destinations Leendert van Duijn (UvA-SNE) Beacon detection July 3, 2014 11 / 18

  14. Sinkhole, results Figure: TCP outgoing every 26 and 3 seconds respectively. Uniform traffic Leendert van Duijn (UvA-SNE) Beacon detection July 3, 2014 12 / 18

  15. Non Malware beacons Legitimate beacons can occur, what do they look like? Don’t websites autorefresh all the time? Does encryption hide beacons? Figure: An hour of HTTPS traffic while writing and browsing Leendert van Duijn (UvA-SNE) Beacon detection July 3, 2014 13 / 18

  16. Non Malware beacons - HTTP, SSH Figure: An hour of traffic, watching a movie, listing some files Leendert van Duijn (UvA-SNE) Beacon detection July 3, 2014 14 / 18

  17. Conclusion Can traffic dumps be used to detect beacons produced by Malware? It is possible to detect beacon traffic in packet dumps using auto correlation of the packet rate over time. Can detection performance be improved by early classification? Using classification or clustering can help in isolating streams/types of traffic, increasing the number of data sets to analyze in exchange for signal clarity. Is it possible to detect Malware in the presence of legitimate beacons? There are features which can be used to distinguish beacons from each other, packet rate, packet uniformity and presence in time. Leendert van Duijn (UvA-SNE) Beacon detection July 3, 2014 15 / 18

  18. Future work Define a scoring method for the Auto correlation waterfalls to automate potential hits Investigate parameter automation Go from audits to live analysis Investigate sparse data, methods of combining/splitting data with significant gaps. How does it handle noisy data, cloaked Malware and App traffic? Leendert van Duijn (UvA-SNE) Beacon detection July 3, 2014 16 / 18

  19. Questions? Leendert van Duijn (UvA-SNE) Beacon detection July 3, 2014 17 / 18

  20. References Gregoire Jacob, Ralf Hund, Christopher Kruegel, and Thorsten Holz. Jackstraws: Picking command and control connections from bot traffic. In Proceedings of the 20th USENIX Conference on Security , SEC’11, pages 29–29, Berkeley, CA, USA, 2011. USENIX Association. URL http://dl.acm.org/citation.cfm?id=2028067.2028096 . Yu Liang, Guojun Peng, Huanguo Zhang, and Ying Wang. An unknown trojan detection method based on software network behavior. Wuhan University Journal of Natural Sciences , 18(5):369–376, 2013. ISSN 1007-1202. doi: 10.1007/s11859-013-0944-6 . URL http://dx.doi.org/10.1007/s11859-013-0944-6 . Yong Qiao, Yuexiang Yang, Jie He, Chuan Tang, and Yingzhi Zeng. Detecting p2p bots by mining the regional periodicity. Journal of Zhejiang University - Science C , 14(9): 682–700, 2013. Christian Rossow and Christian J. Dietrich. ProVeX: Detecting Botnets with Encrypted Command and Control Channels. In Proceedings of the 10th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) , July 2013. Leendert van Duijn (UvA-SNE) Beacon detection July 3, 2014 18 / 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hunting beacons Bartosz Jerzman agenda Part I: HTTP beacon detection Part II: HTTPS beacon

Hunting beacons Bartosz Jerzman agenda Part I: HTTP beacon detection Part II: HTTPS beacon

Hunting beacons Bartosz Jerzman agenda Part I: HTTP beacon detection Part II: HTTPS beacon detection Part III: Lets hunt them early C2 scanning whoami Sysadmin and network defender for the Polish Navy Incident responder

720 views • 52 slides
Beacon Use, Issues and 406 MHz Beacon Registration Database Beacon Manufacturers Workshop 2016

Beacon Use, Issues and 406 MHz Beacon Registration Database Beacon Manufacturers Workshop 2016

Beacon Use, Issues and 406 MHz Beacon Registration Database Beacon Manufacturers Workshop 2016 Apurve Mathur ERT, Inc. Registration Database Lead False Alert Statistics 2 Non-Distress Beacon Counts 7,000 6,182 6,000 5,708 5,000 2012

365 views • 21 slides
ELIXIR Beacon Project 1 genomicsandhealth.org ELIXIR Beacon Project A Beacon is a discovery

ELIXIR Beacon Project 1 genomicsandhealth.org ELIXIR Beacon Project A Beacon is a discovery

ELIXIR Beacon Project 1 genomicsandhealth.org ELIXIR Beacon Project A Beacon is a discovery service for genetic variants Developing tools to make data discoverable Aiding data sharing Increasing efficiency in data access process

332 views • 10 slides
APLICATION OF BIOCHIP USING THE MOLECULAR BEACON PROBE IN BREAST CANCER GENE P53 DETECTION

APLICATION OF BIOCHIP USING THE MOLECULAR BEACON PROBE IN BREAST CANCER GENE P53 DETECTION

18 th INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS APLICATION OF BIOCHIP USING THE MOLECULAR BEACON PROBE IN BREAST CANCER GENE P53 DETECTION Ferdiansyah 1 , A. W. Ninggar 1* . 1 Department of Biochemistry, Bogor Agricultural University, Bogor,

190 views • 5 slides
Founders Academy at Beacon Charter School Background Beacon Charter School was founded in 2003

Founders Academy at Beacon Charter School Background Beacon Charter School was founded in 2003

Founders Academy at Beacon Charter School Background Beacon Charter School was founded in 2003 to offer high quality, arts-based curriculum to student artists in grades 9-12. Beacon has consistently ranked among the top schools in the state in

785 views • 16 slides
Second Generation Beacon (SGB) Update Beacon Manufacturers Workshop 2016 Dr. Sun Hur-Diaz

Second Generation Beacon (SGB) Update Beacon Manufacturers Workshop 2016 Dr. Sun Hur-Diaz

Second Generation Beacon (SGB) Update Beacon Manufacturers Workshop 2016 Dr. Sun Hur-Diaz NASA/Emergent Space Technologies ANGEL Project Lead Outline SGB Proof of Concept (POC) Testing Status Document Status SGB Specification (C/S

1.2k views • 9 slides
Network Telescopes: The FloCon Files There are "reseachers" seriously interested in

Network Telescopes: The FloCon Files There are "reseachers" seriously interested in

Flocon Stream of Conciousness Network Telescopes: The FloCon Files There are "reseachers" seriously interested in pieces of operational problems. anomaly detection, early worm detection flow aggregation, line-speed

259 views • 11 slides
Beacon City School District Reopening July 2020 Beacon Mission To prepare EVERY student for

Beacon City School District Reopening July 2020 Beacon Mission To prepare EVERY student for

Beacon City School District Reopening July 2020 Beacon Mission To prepare EVERY student for learning, life, and work beyond school. Beacon City School District - Mission and Belief Statements Meeting the challenge of preparing EVERY

585 views • 17 slides
Beacon Network Schools Innovation Zone Forming an Innovation Zone will allow Beacon Network

Beacon Network Schools Innovation Zone Forming an Innovation Zone will allow Beacon Network

Beacon Network Schools Innovation Zone Forming an Innovation Zone will allow Beacon Network Schools to realize their full potential in serving their students, while remaining contributing members of the Districts educational and financial

432 views • 19 slides
Beacon Charter High School for the Arts MISSION Beacon Charter High School for the Arts

Beacon Charter High School for the Arts MISSION Beacon Charter High School for the Arts

Introducing Beacon Charter High School for the Arts MISSION Beacon Charter High School for the Arts develops artistic thinkers by nurturing self-expression while preparing our graduates with the academic skills necessary for sustained

193 views • 15 slides
Should we the tunnels? Christopher Thornberg Founding Partner, Beacon Economics Beacon

Should we the tunnels? Christopher Thornberg Founding Partner, Beacon Economics Beacon

Analysis. Answers The Bay Delta Conservation Plan: Should we the tunnels? Christopher Thornberg Founding Partner, Beacon Economics Beacon Economics, LLC Analysis. Answers. Overview: Thinking about water

951 views • 39 slides
What is a Jar File? Java archive (jar) files are compressed files that can store one or many

What is a Jar File? Java archive (jar) files are compressed files that can store one or many

Creating Jar Files Based on slides by: Jin Hung, Gregory Olds, George Blank, Sun Java Web Site What is a Jar File? Java archive (jar) files are compressed files that can store one or many files. Jar files normally contain java or class

507 views • 19 slides
What is a Jar File? Java archive (jar) files are compressed files that can store one or many

What is a Jar File? Java archive (jar) files are compressed files that can store one or many

Creating Jar Files Based on slides by: Jin Hung, Gregory Olds, George Blank, Sun Java Web Site What is a Jar File? Java archive (jar) files are compressed files that can store one or many files. Jar files normally contain java or class

434 views • 22 slides
Beacon City School District Budget Presentation 2019-2020 Beacon Mission To prepare EVERY

Beacon City School District Budget Presentation 2019-2020 Beacon Mission To prepare EVERY

Beacon City School District Budget Presentation 2019-2020 Beacon Mission To prepare EVERY student for learning, life, and work beyond school. In pursuing this Mission, we believe: The diversity of our community is a strength In

558 views • 16 slides
Jordan G. Levine Economist & Director of Economic Research Beacon Economics, LLC Beacon

Jordan G. Levine Economist & Director of Economic Research Beacon Economics, LLC Beacon

Analysis. Answers Jordan G. Levine Economist & Director of Economic Research Beacon Economics, LLC Beacon Economics, LLC pg Analysis. Answers. Overview Los Angeles County is in an economic recovery o Cyclical issues are waning

960 views • 41 slides
NOAAs Beacon Registration Database (RGDB) SARSAT Beacon Manufacturers Workshop 2018 Apurve

NOAAs Beacon Registration Database (RGDB) SARSAT Beacon Manufacturers Workshop 2018 Apurve

NOAAs Beacon Registration Database (RGDB) SARSAT Beacon Manufacturers Workshop 2018 Apurve Mathur ERT, Inc. Registration Database Lead National Use Beacons When a US Government agency orders beacons, ask the buyer to contact NOAA to

456 views • 18 slides
Sliding Window Protocol Sliding window protocol: Stop & Wait: inefficient if a is

Sliding Window Protocol Sliding window protocol: Stop & Wait: inefficient if a is

Computer Networks Prof. Hema A Murthy Sliding Window Protocol Sliding window protocol: Stop & Wait: inefficient if a is large. Data: - stream of bulk data - data can be pipelined - transmit window of date - donot

1.71k views • 13 slides
EPL682 - PAPERS ---------- Re: CAPTCHAs Understanding CAPTCHA-Solving Services in an Economic

EPL682 - PAPERS ---------- Re: CAPTCHAs Understanding CAPTCHA-Solving Services in an Economic

EPL682 - PAPERS ---------- Re: CAPTCHAs Understanding CAPTCHA-Solving Services in an Economic Context I Am Robot: (Deep) Learning to Break Semantic Image CAPTCHAs Antreas Dionysiou - Department of Computer Science University of Cyprus

867 views • 39 slides
Panel on collaborative research methodology for large-scale computer systems Grigori Fursin

Panel on collaborative research methodology for large-scale computer systems Grigori Fursin

Panel on collaborative research methodology for large-scale computer systems Grigori Fursin EXADAPT/ASPLOS INRIA, France March 2012 Background 1993-1997 Semiconductor electronics, physics, neural networks First steps on auto-tuning and

950 views • 38 slides
Traction Getting Traction for (your) Open Source Projects Michael Boelen

Traction Getting Traction for (your) Open Source Projects Michael Boelen

Traction Getting Traction for (your) Open Source Projects Michael Boelen michael.boelen@cisofy.com T-DOSE 2016, 12 November (NLLGG track) Why? (developers) Promote your open source project Users Feedback Invisible benefits 2

674 views • 49 slides
Efficient Implementation of the Orlandi Protocol . Jakobsen 1 , Marc X. Makkes 2 , and Janus Dam

Efficient Implementation of the Orlandi Protocol . Jakobsen 1 , Marc X. Makkes 2 , and Janus Dam

What (is it all about?) Why (is the Orlandi protocol interesting?) How (did we make it practical?) Summary Efficient Implementation of the Orlandi Protocol . Jakobsen 1 , Marc X. Makkes 2 , and Janus Dam Thomas P Nielsen 1 1 The Alexandra

434 views • 30 slides
Energy Meter S/W features Mr. N.K. Bhati Yadav Measurements Pvt.Ltd. Udaipur , India 1 Power

Energy Meter S/W features Mr. N.K. Bhati Yadav Measurements Pvt.Ltd. Udaipur , India 1 Power

DRUM TRAINING PROGRAM A U.S. Agency for International Development (USAID) Funded Program Energy Meter S/W features Mr. N.K. Bhati Yadav Measurements Pvt.Ltd. Udaipur , India 1 Power Finance Corporation Ltd. (A Govt. of India

816 views • 78 slides
Algorithms and Applications for the Estimation of Stream Statistics in Networks Aviv Yehezkel

Algorithms and Applications for the Estimation of Stream Statistics in Networks Aviv Yehezkel

Algorithms and Applications for the Estimation of Stream Statistics in Networks Aviv Yehezkel Ph.D. Research Proposal Supervisor: Prof. Reuven Cohen Overview Motivation Introduction Cardinality Estimation Problem Weighted

1.78k views • 133 slides
Practical Guidance for Returning to the Office Presented by 1 Leadership & Staff

Practical Guidance for Returning to the Office Presented by 1 Leadership & Staff

Practical Guidance for Returning to the Office Presented by 1 Leadership & Staff Considerations Office Layout Solutions IT's Role In Return-To-Work Sonja Der Charles Atwell Mark Meszaros Bridge Performance Coaching Washington

619 views • 51 slides

More recommend