ManaTI Web Assistance for the Threat Analyst, supported by Domain - - PowerPoint PPT Presentation

manati
SMART_READER_LITE
LIVE PREVIEW

ManaTI Web Assistance for the Threat Analyst, supported by Domain - - PowerPoint PPT Presentation

Aug 14, 2023 398 likes •759 views

ManaTI Web Assistance for the Threat Analyst, supported by Domain Similarity SEBASTIN GARCA RAL BENTEZ NETTO sebastian.garcia@agents.fel.cvut.cz raulbeni@gmail.com @eldracote @Piuliss Czech Technical University in Prague

slide-1
SLIDE 1

ManaTI

Web Assistance for the Threat Analyst, supported by Domain Similarity

RAÚL BENÍTEZ NETTO raulbeni@gmail.com Czech Technical University in Prague SEBASTIÁN GARCÍA @Piuliss sebastian.garcia@agents.fel.cvut.cz @eldracote

https://github.com/stratosphereips/Manati

slide-2
SLIDE 2

Stratosphere Project

a free software Intrusion Prevention System Free protection for NGOs. Stratosphere Data Analysis Project

https://stratosphereips.org/

Security and Machine Learning

@stratosphereips

@StratosphereIPS

slide-3
SLIDE 3

What and why?

ManaTI is a web-based system to analyze, store and organize weblogs faster in a threat analysis team.

slide-4
SLIDE 4

ManaTI assists threat analysis team to make their work faster and more effective

ManaTI Purpose

slide-5
SLIDE 5

Raúl Benítez Netto

Master Student in CTU Member of Stratosphere Project Web/App developer focus cyber- security environment Photographer aficionado raulbeni@gmail.com @Piuliss

slide-6
SLIDE 6

Sebastian García

Founder of Stratosphere Project Creator of Stratosphere IPS Researcher on cybersecurity using Machine Learning eldraco@gmail.com @eldracote

slide-7
SLIDE 7

Basic knowledge

Weblogs WHOIS information IoCs (Indicators of Compromise)

slide-8
SLIDE 8

The art of understanding the traces of the malware in the network logs.

Analysis of Malware Behavior in the Network

slide-9
SLIDE 9

Records of connections that malware perform to connect with their C&C

Malware Traces

slide-10
SLIDE 10

Threat Analyst work

Open weblogs filtering and searching Consult DB of Reputations indicators Identifying patterns Identify Malware Incident Report Labels IoCs

slide-11
SLIDE 11

Tools used by Threat Analysts

Logs Viewer Log Parser Apache Log Viewer LogExpert Terminal/Console VIM/VI WC (Word Count) AWK GREP Big Data analysis splunk.com

slide-12
SLIDE 12

Problems in Threat Analysis

Huge amount of Data Labeling Data Repetitive tasks Much Knowledge lost over time It is difficult and tiresome

slide-13
SLIDE 13

ManaTI principles

https://github.com/stratosphereips/Manati Fast! Provide Assistance Storage Work in teams GUI - Web Machine Learning Algorithm API - Class Interface

slide-14
SLIDE 14

ManaTI Workflow

slide-15
SLIDE 15

ManaTI basic features and usability

slide-16
SLIDE 16

Analysis Sessions and Multi-users

slide-17
SLIDE 17

Basic Interface

GUI to vizualise weblogs files. Basic table to paginate, filter and search weblog data

slide-18
SLIDE 18

Demo Basic Dynamic Table

slide-19
SLIDE 19

Weblogs Labelling

It is the basic and more important action for a malware behavior

  • analyst. Detect malicious IoCs
slide-20
SLIDE 20

Demo - Weblog labeling

slide-21
SLIDE 21

Exporting Dynamic Table

slide-22
SLIDE 22

Comments

slide-23
SLIDE 23

History of changes

slide-24
SLIDE 24

Third-party intelligence tools

The threat analysts often use several external services to know about the IoCs

slide-25
SLIDE 25

Statistics and Metrics

See in real time the perfomance progress of the user

slide-26
SLIDE 26

External Modules

ManaTI allows analysts to create their own scripts and modules to increase the number of labels or weblogs analyzed in a period of time

slide-27
SLIDE 27

Sync with Database - Merging Labels

Weblog Merging Labels

slide-28
SLIDE 28

WHOIS Similarity Distance Algorithm

How similar are two domains ?

WHOIS fields Domain A Domain B Distance registrar’s name MARKMONITOR INC. MARKMONITOR IN 0.0 contact’s name. DNS Admin Domain Administrator 13.0

  • rg.’s name

Google Inc. Facebook, Inc. 8.0 contacts emails dns- admin@google.com [domain@fb.com] 11.0 zip code 94043 94025 2.0 domain’s name google.com facebook.com 8.0 duration in days 8401 10229 0.82 servers’ name [ns1.google.com,...] [a.ns.facebook.com ...] ​11.0

slide-29
SLIDE 29

WHOIS Similarity Distance Algorithm

slide-30
SLIDE 30

https://github.com/stratosphereips/whois-similarity-distance

How to determine is two domains are related? Machine Learning ?

WHOIS Similarity Distance Algorithm

slide-31
SLIDE 31

ManaTI Contributions

All-in-one with Web interface A scalable and extensible backend server A novel WHOIS distance measure Verification of performance improvements

slide-32
SLIDE 32

Future of ManaTI

Improving WHOIS Similarity Distance IOCs labeling Import/Export labelled IOCs Integration with Stratosphere IPS Add more types of files Malware Detection Active learning Community Ideas

slide-33
SLIDE 33

Conclusion

ManaTI : is a novel tool to facilitate the work is high functional scalable user-friendly can increase the weblogs labelling speed x3.4 OpenSource !

slide-34
SLIDE 34

Thank you!

RAÚL BENÍTEZ NETTO raulbeni@gmail.com SEBASTIÁN GARCÍA @Piuliss sebastian.garcia@agents.fel.cvut.cz @eldracote

ManaTI Project

https://github.com/stratosphereips/Manati

benitrau@fit.cvut.cz