Fantastic Attacks and How Kalipso can find them Kamila Babayeva - - PowerPoint PPT Presentation
Fantastic Attacks and How Kalipso can find them Kamila Babayeva Sebastian Garcia babaykam@fel.cvut.cz, @_kamifai_ sebastian.garcia@agent.fel.cvut.cz, @eldracote What if you need to analyze a very large pcap to find if there was an
Kamila Babayeva babaykam@fel.cvut.cz, @_kamifai_ Sebastian Garcia sebastian.garcia@agent.fel.cvut.cz, @eldracote
What if you need to analyze a very large pcap to find if there was an infection?
What was helping the detection? Behavioral letters
Slips can identify some weird situations and alert you about them
Red Alerts Dst ports
In “dst ports as a client” we can see a lot of bytes and packets going to a dst port Tuples with a strong periodicity
Dst ips
In “dst IPs as a client” we can see a lot of connections to this IP in a weird port
How does slips work?
Implement everything in modules as independent processes
Home net idea
Machine Learning for Network Detection. Backend
profiles
Profile per src IP. Computes all the features in the profile
directionality
Out: Only consider traffic going out of the profile All: Consider traffic in and out of the profile Defines for which IPs it creates profiles
timewindows
Profiles and detections happen in TW. Behaviors change.
modules
Modules kalipso Threat Intelligence Portscan detection geoip ASN timeline Virus total whois Anomaly detection ml C&C detection
directionality
directionality
directionality
directionality
Build terminal dashboards using ascii/ansi art and javascript https://github.com/yaronn/blessed-contrib A high-level terminal interface library for node.js https://pypi.org/project/blessed/ Open source in-memory data structure store Node.js is an open-source, cross-platform, JavaScript runtime environment that executes JavaScript code outside of a browser.
kalipso’s magic
Blessed-contrib Blessed library redis nodejs
In-memory key store
kalipso’s magic
redis example of entry
DstIPs: {123.123.123.123: 1, '1.1.1.1':3} SrcIPs: {'2.2.2.2':4} Modified: True OutTuples: {'3.3.3.3:80:tcp': ['98a,a,a,a,a,a', previous_time, T2, IPINFO]} Detections: { [ ['Port Scan',1,0.5], ['Exploit', 0.3, 1] ]} BlockRequest: True/False DstPortsClientUDPEstablished: {80: {'totalbytes': 23, 'totalflows': 2, 'totalpkt': 4, 'dstips': {'3.4.5.6':25 ,'6.6.6.6':44}}} DstPortsClientUDPNotEstablished: {80: {'totalbytes': 23, 'totalflows': 2, 'totalpkt': 4, 'dstips': {'1.1.1.1':32 ,'2.2.2.2':44 ,'3.3.3.3': 66}}} DstPortsClientTCPEstablished: {80: {'totalbytes': 23, 'totalflows': 2, 'totalpkt': 4, 'dstips': {'1.1.1.1':32 ,'2.2.2.2':44 ,'3.3.3.3': 66}}} DstPortsClientTCPNotEstablished: {80: {'totalbytes': 23, 'totalflows': 2, 'totalpkt': 4, 'dstips': {'1.1.1.1':32 ,'2.2.2.2':44 ,'3.3.3.3': 66} }} DstPortsServerUDPEstablished: {80: {'totalbytes': 23, 'totalflows': 2, 'totalpkt': 4}} SrcPortsClientUDPEstablished: {1234: {'totalbytes': 23, 'totalflows': 2, 'totalpkt': 4, 'dstips': {'1.1.1.1':32 ,'2.2.2.2':44 ,'3.3.3.3': 66}}}
profile_10.0.0.1_timewindow1 (hash)
kalipso
profiles
All profiles and all the time windows when this profile communicated. Detected profiles and time windows are highlighted in red.
kalipso
timeline
A combined timeline of what happened and
DNS) has below its corresponding interpretation (Query:)
kalipso
Clicking on a IP shows its
timeline and the profiles tree.
Ip info
kalipso
evidence
The evidence is generated by all detection modules. This is the supporting evidence for the detection.
kalipso
hotkeys
Help on what you can do
kalipso
E hotkey
Src ports when the IP of the profile acted as client. Separated in Established and Not Established histograms. Shows the amount of total flows, total packets and total bytes going in a specific source port.
kalipso
C hotkey
Dst IPs when the IP of the profiles acted as client. Separated in Established and Not Established
total flows, total packets and total bytes going to a specific dst IP.
kalipso
p hotkey
Dst ports when the IP of the profile acted as client. Separated in Established and Not Established histograms. Shows the amount of total flows, total bytes and total packets going to a specific dst port.
kalipso
Dst Ports when the IP of the profile acted as client. Separated in Established and not Established histograms. Shows the amount of connections to a dst IP on a specific port .
n hotkey
kalipso
Shows geolocations of all dst IPs to which the src IP of the profile connected to during the time window.
m hotkey
kalipso
H Hotkey
Out Tuples Behavioral letters about the out tuples ‘IP-port-protocol’ combined together with ASN, geo country and Virus Total summary
Behavioral letters Outtuples
Group flows together Aggregation key is Src IP Dst IP Dst Port Protocol For each flow compute duration, size, and periodicity.
Behavioral letters
Behavior in time
kalipso
Fake scroll
We implemented a fake scroll capability to deal with the limitations of the library.
https://github.com/stratosphereips/StratosphereLinuxIPS
CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, and infographics & images by Freepik. Please keep this slide for attribution.
Kamila Babayeva babaykam@fel.cvut.cz, @_kamifai_ Sebastian Garcia sebastian.garcia@agent. fel.cvut.cz, @eldracote