PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection, Traffic Analysis, and Beyond

Presented at Black Hat USA 2017, July 26, 2017, 10:30 a.m. (25 minutes)

Distributed denial of service attacks (DDoS) are a constant problem for network operators today. Thanks to low cost of entry, high effectiveness, and the difficulty present in filtering out such attacks from inbound network traffic, DDoS attacks are relatively common and difficult to mitigate against. Recent discoveries regarding the conformity of network traffic to certain power law distributions, namely Benford's and Zipf's laws, has allowed us to develop a new method of denial of service detection based entirely on packet header inspection. Power law distributions are fascinating artifacts of natural processes, applications of which can be found in anywhere from word counts in books through to numbers used in bank statements. Our research can detect DDoS attacks by using such distributions to detect strongly unnatural network traffic scenarios with only minimal metadata. This however, is not the whole story. Power law potential in IDS is largely un-researched, and could be applied for more general anomaly based IDS purposes. It can even be used to filter for denial of service packets in live streams of data. What makes Power Laws both fascinating and interesting is that they have an inbuilt "resistance" to attempts to tamper or subvert the data analysis. Given the low computational cost associated with Power law processing and the foolproof security inherent to the methods, Power law distributions make perfect tools for cyber defense, especially in the areas of DoS and intrusion detection. In this talk, we will introduce and discuss the significance and power of power law distributions, how they relate to computers, and how this can be used to develop new anomaly detection systems.

Presenters:

• Stefan Prandl - Mr, Curtin University
  Stefan Prandl is a student working on his PhD at Curtin University focusing on information security, specifically into statistical methods of detecting anomalous behavior on networks. When he's not staring at pcap files, he's teaching at Curtin, playing hacking wargames or ctf's for fun, or trying to explain to his less tech savvy friends what it is he actually does.

Links:

• https://www.blackhat.com/us-17/briefings/schedule/#peima-harnessing-power-laws-to-detect-malicious-activities-from-denial-of-service-to-intrusion-detection-traffic-analysis-and-beyond-7313
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2017/PEIMA - Harnessing Power Laws to Detect Malicious Activities.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2017/PEIMA - Harnessing Power Laws to Detect Malicious Activities.en.transcribed.srt (subtitles)
• https://www.youtube.com/watch?v=8DN8hSMYMhM
• https://www.blackhat.com/docs/us-17/thursday/us-17-Prandl-PEIMA-Harnessing-Power-Laws-To-Detect-Malicious-Activities-From-Denial-Of-Service-To-Intrusion-Detection-Traffic-Analysis-And-Beyond.pdf
• https://www.blackhat.com/docs/us-17/thursday/us-17-Prandl-PEIMA-Harnessing-Power-Laws-To-Detect-Malicious-Activities-From-Denial-Of-Service-To-Intrusion-Detection-Traffic-Analysis-And-Beyond-wp.pdf

Similar Presentations:

• DEF CON 25 (2017) / PEIMA (Probability Engine to Identify Malicious Activity): Using Power Laws to address Denial of Service Attacks
• BSidesLV 2014 / The Power Law of Information
• GrrCON 2019 / Power Detection