Overview
Explore a methodology for detecting automated behavior in cyber-relevant log data through time signature-based matching in this 23-minute conference talk. Learn how to identify temporal patterns that indicate malicious activity executed by scripts or bots, and discover a scalable approach using locality sensitive hashing to overcome the limitations of brute force methods. Examine the potential applications of this coordination detection methodology, including developing features for anomaly detection, characterizing automated behavior through unsupervised clustering, and fusing disparate data sources using temporal signature keys. Gain insights from examples using a dataset of billions of netflow records, and understand how this approach can enhance network defense capabilities in the context of DARPA's Network Defense program.
Syllabus
TIME SIGNATURE BASED MATCHING FOR DATA FUSION AND AUTOMATION DETECTION IN CYBER RELEVANT LOGS
DARPA'S NETWORK DEFENSE PROGRAM
DEFINING TEMPORAL FEATURES OF LOG DATA
BRUTE FORCE COMPUTATION OF PAIRWISE DISTANCES
USE LOCALITY SENSITIVE HASHING TO REDUCE NUMBER OF PAIRWISE DISTANCE COMPUTATIONS
EXAMPLE: APPLICATION TO NETFLOW (SILK) DATA
POTENTIAL DATA FUSION APPLICATION
Taught by
0xdade