Anomaly Detection of Host Roles in Computer Networks

Presented at DeepSec 2018 „I like to mov &6974,%bx“, Unknown date/time (Unknown duration)

Detecting malware infections is one of the most challenging tasks in modern computer security. Although there exist tools that can help the analysts in this task, such as Snort/Bro/Suricata, truth is that most of the analysis is done by hand. Most of the automation focuses on organizing and visualizing data, but not on detection. When it comes to machine learning for detection, the most common approach in most security companies is to run an anomaly detection algorithm as a first layer and then complement the results with a classification algorithm. An anomaly detection method is designed to model normal traffic and then to find deviations from that model. Although widely used, anomaly detection techniques usually come with different problems, such as the difficulty to obtain labels for a good verification, and a large amount of false positives. We propose and describe a new user profile-based method to detect anomalous changes in the network behavior of users. The profiles have multiple features used to describe the behavior of a wide range of actions of the users from different perspectives in the network. Each profile encapsulates what the user did during a period of time. Compared to other feature-based anomaly detectors, our profiles offer a more high-level view of the behaviors. Since the datasets used for training and evaluating a method are very important, we created our complex datasets of malware attacks. Our datasets contain real normal actions of a human user, while the user is infected with real malware. Our anomaly detection method was trained using these datasets with our own assigned labels. These datasets are the first of their kind and are available for download. Results show that our method can accurately detect attacks (anomalies recognized as attacks) and keep a very low false positive rate. Despite not finding each and all of the anomalies, our method shows that it is possible to detect almost all malware infections within a short time period. We also tested our algorithm for monitoring IoT devices, such as cameras, and we were able to recognize unauthorized login attacks. We believe that our method can show the community an advanced technique and tool to implement into their own networks. The complete detection method and dataset is freely available for download.

Presenters:

• Yury Kasimov - Stratosphere IPS / Avast
  Yury Kasimov received his master degree at Czech Technical University. His major is machine learning and artificial intelligence. He has been working at Stratosphere project (https://www.stratosphereips.org/) for 2.5 years and wrote his master thesis there. Yury's interested in applying machine learning to the field of network security.

Links:

• https://deepsec.net/archive/2018.deepsec.net/speaker.html#PSLOT372

Similar Presentations:

• BSidesLV 2015 / Making & Breaking Machine Learning Anomaly Detectors in Real Life
• BruCON 0x09 (2017) / Detecting malware even when it is encrypted - Machine Learning for network HTTPS analysis
• Black Hat Europe 2016 / 50 Thousand Needles in 5 Million Haystacks: Understanding Old Malware Tricks to Find New Malware Families