Cryptocoin Miners vs Machine Learning

Presented at Global AppSec - DC 2019, Sept. 12, 2019, 11:30 a.m. (45 minutes)

This talk will be a walkthrough of how I built a detection engine focused on finding cryptocoin miners within an AWS architecture. It utilizes AWS Flow Logs as the data source and multiple statistical analysis techniques for both massaging the data and performing the actual detection. AWS Flow Logs do not function as traditional per-packet 5-tuple captures. Instead, the data is aggregated over a 10-minute period, organized by unique IP address and port numbers. This presents a unique challenge for building a detection model as you don't have detailed per-packet logs. The methodology itself follows an iterative design: look for a pattern, implement into code, check for false positives. This is repeated until we have a sufficiently knowledgable model capable of flagging cryptocoin mining traffic with a minimal false positive rate. The techniques discussed include cluster analysis via k-means and DBSCAN, convex hulls, linear regression analysis, nearest neighbor, and several other simple but very powerful statistical analysis techniques. The final implementation will be built on top of ELK, culminating into a turn-key release that owners can drop into their environments.


Presenters:

  • Jonn Callahan
    Jonn started his career working within the government sector, helping to start a program responsible for securing web applications run on government infrastructure.Looking to expand his experience beyond the .NET stack and the occasional Java app, he moved into the private sector as a consultant. Since then, he's sharpened his teeth across a wide variety of technologies within both appsec and other spaces. Currently, he runs parallel across web app, cloud, and container security and has recently reignited his love for math, joining the research community that seeks to bring machine learning into the world of security.

Links:

Similar Presentations: