Fantastic Attacks and How Kalipso can find them Kamila Babayeva - PowerPoint PPT Presentation

Fantastic Attacks and How Kalipso can find them Kamila Babayeva Sebastian Garcia babaykam@fel.cvut.cz, @_kamifai_ sebastian.garcia@agent.fel.cvut.cz, @eldracote

What if you need to analyze a very large pcap to find if there was an infection?

A real android infection Kalipso demo

What was helping the detection? Red Alerts Dst ports Dst ips Behavioral letters Slips can identify In “dst ports as a In “dst IPs as a some weird situations client” we can see client” we can Tuples with a and alert you about a lot of bytes and see a lot of strong them packets going to a connections to periodicity dst port this IP in a weird port

How does slips idea timewindows work? Machine Learning for Profiles and detections Network Detection. happen in TW. Behaviors Backend change. Home net directionality Defines for which IPs it Out: Only consider traffic going out of the profile creates profiles All: Consider traffic in and out of the profile profiles modules Profile per src IP. Computes Implement everything in all the features in the profile modules as independent processes

Modules Threat Intelligence ASN Anomaly detection ml C&C detection kalipso geoip timeline Portscan detection Virus total whois

directionality

directionality

directionality

directionality

kalipso

kalipso’s magic nodejs Node.js is an open-source, cross-platform, JavaScript runtime environment that executes JavaScript code outside of a Blessed library browser. A high-level terminal interface library for node.js https://pypi.org/project/blessed/ redis Open source in-memory data structure store Blessed-contrib Build terminal dashboards using ascii/ansi art and javascript https://github.com/yaronn/blessed-contrib

Blessed library

Blessed-contrib library

kalipso’s magic In-memory key store

redis example of entry profile_10.0.0.1_timewindow1 (hash) DstIPs : {123.123.123.123: 1, '1.1.1.1':3} SrcIPs : {'2.2.2.2':4} Modified : True OutTuples : {'3.3.3.3:80:tcp': ['98a,a,a,a,a,a', previous_time, T2, IPINFO]} Detections : { [ ['Port Scan',1,0.5], ['Exploit', 0.3, 1] ]} BlockRequest : True/False DstPortsClientUDPEstablished : {80: {'totalbytes': 23, 'totalflows': 2, 'totalpkt': 4, 'dstips': {'3.4.5.6':25 ,'6.6.6.6':44}}} DstPortsClientUDPNotEstablished : {80: {'totalbytes': 23, 'totalflows': 2, 'totalpkt': 4, 'dstips': {'1.1.1.1':32 ,'2.2.2.2':44 ,'3.3.3.3': 66}}} DstPortsClientTCPEstablished : {80: {'totalbytes': 23, 'totalflows': 2, 'totalpkt': 4, 'dstips': {'1.1.1.1':32 ,'2.2.2.2':44 ,'3.3.3.3': 66}}} DstPortsClientTCPNotEstablished : {80: {'totalbytes': 23, 'totalflows': 2, 'totalpkt': 4, 'dstips': {'1.1.1.1':32 ,'2.2.2.2':44 ,'3.3.3.3': 66} }} DstPortsServerUDPEstablished : {80: {'totalbytes': 23, 'totalflows': 2, 'totalpkt': 4}} SrcPortsClientUDPEstablished : {1234: {'totalbytes': 23, 'totalflows': 2, 'totalpkt': 4, 'dstips': {'1.1.1.1':32 ,'2.2.2.2':44 ,'3.3.3.3': 66}}}

kalipso profiles All profiles and all the time windows when this profile communicated. Detected profiles and time windows are highlighted in red.

kalipso timeline A combined timeline of what happened and when. Based on Zeek files. Each main line (e.g DNS) has below its corresponding interpretation (Query:)

kalipso Ip info Clicking on a IP shows its information. Both in the timeline and the profiles tree.

kalipso evidence The evidence is generated by all detection modules. This is the supporting evidence for the detection.

kalipso hotkeys Help on what you can do

kalipso E hotkey Src ports when the IP of the profile acted as client. Separated in Established and Not Established histograms. Shows the amount of total flows, total packets and total bytes going in a specific source port.

kalipso C hotkey Dst IPs when the IP of the profiles acted as client. Separated in Established and Not Established histograms. Shows the amount of total flows, total packets and total bytes going to a specific dst IP.

kalipso p hotkey Dst ports when the IP of the profile acted as client. Separated in Established and Not Established histograms. Shows the amount of total flows, total bytes and total packets going to a specific dst port.

kalipso n hotkey Dst Ports when the IP of the profile acted as client. Separated in Established and not Established histograms. Shows the amount of connections to a dst IP on a specific port .

kalipso m hotkey Shows geolocations of all dst IPs to which the src IP of the profile connected to during the time window.

kalipso H Hotkey Out Tuples Behavioral letters about the out tuples ‘IP-port-protocol’ combined together with ASN, geo country and Virus Total summary

Behavioral letters Outtuples Group flows together Aggregation key is Src IP Dst IP Dst Port Protocol For each flow compute duration, size, and periodicity.

Behavioral letters Behavior in time

kalipso Fake scroll We implemented a fake scroll capability to deal with the limitations of the library.

Installation https://github.com/stratosphereips/StratosphereLinuxIPS

THANK YOU! Kamila Babayeva Sebastian Garcia babaykam@fel.cvut.cz, sebastian.garcia@agent. @_kamifai_ fel.cvut.cz, @eldracote CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, and infographics & images by Freepik. Please keep this slide for attribution.