Download Network traffic based computer system user identification

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
Document related concepts
no text concepts found
Transcript 
Network traffic based computer
system user identification
Dr Zsolt Illési
associate professor
College of Dunaújváros
[email protected]
Open Source Intelligence Areas of Development
Key Questions of Detection
Who?
(individual(s)
involved)
How?
(used tools/
exploits)
When?
(timeline)
Provide
Information
About
What?
(nature of
events)
Why?
(motivation)
Where?
(scene)
Open Source Intelligence Areas of Development
Time to repair (TTR) or
'downtime'
Incident
Lifecycle
Response time
Restoration time
Detection
IDh
IDu
Diagnosis
Recovery
Restoration
IDo
Time
Incident
Incident
Recovery time
Uptime
(TBL-TTR)
Time between systems incidents (TBF)
Correction
Initiation
Diagnosis
Open Source Intelligence Areas of Development
Remedy
Network Situational Awareness
• Cyber Attack Scenarios
• Situation-Aware and Context-Aware
Network Applications
• CERTs and CSIRTs
• Security Event and Information
Management
• Application Security, Audits and
Penetration Testing
Open Source Intelligence Areas of Development
Web Traffic Characterisation
•
•
•
•
Intrusion Detection Systems
Traffic Characterisation Techniques
Web Analytics
Security Incident Response
Open Source Intelligence Areas of Development
Cyber Situational Awareness
Tools & Techniques
• Fuzzy Logic
• Rough Set
• Artificial Neural
Networks
• Artificial
Intelligence
• Genetic Algorithm
• Evidence Theory
(DST)
• Bayesian Networks
& Set Theory
• Big Data Analytics
• Game Theory
• Graph Theory
Open Source Intelligence Areas of Development
Identifying someone
• Prove that a signature
is from a known
person
• Prove that some
network traffic is
generated by a specific
user
Open Source Intelligence Areas of Development
Bayesian interpretation of
network data
posterior
knowledge
new
data
prior
knowledge
𝑃(𝐻0 |𝐸)
𝑃(𝐸|𝐻0 ) 𝑃(𝐻0 )
=
∙
𝑃(𝐻1 |𝐸)
𝑃(𝐸|𝐻1 ) 𝑃(𝐻1 )
posterior
odds
likehood
ratio
Open Source Intelligence Areas of Development
prior
odds
Identification of WHO using a
computer? (Assumptions)
• User(s) in action
– one or more person
– one or more computer system
– carefully defined (limited) task performance
• Used network data
– generic protocol data are available
– payload (e.g. data) possibly encrypted
• Previous information (reference data
model is available)
Open Source Intelligence Areas of Development
Identification of WHO using a
computer? (Tools)
• Network taps (specialised hardware or
active network tool)
• Sniffers, and network traffic/data analysers
(wireshark, tcpdump, tcpstat, tcptrace,
CoralReef etc.)
• Scripting language for data pre-processing
(Python, Pearl etc.)
• Number cruncher (Octave, Scilab, Matlab,
Mathematica etc.)
Open Source Intelligence Areas of Development
Identification of WHO using a
computer? (Stages)
• Reference data network usage data
collection
(prior probability distribution)
• Definine the probability that a certain
person (or computer system) uses the
network
(hypothesis testing; posterior distribution
analysis)
Open Source Intelligence Areas of Development
Identification of WHO using a
computer? (Process)
• Raw network data collection
• Understand network data (
– packet sorting and analysis
– data-flow and protocol statistics
– network connection
(source-destination pairing)
• Bayesian analysis
(current data vs reference data)
Open Source Intelligence Areas of Development
Pro’s and Con’s
Constraints
Benefits
• Single user
• 80%+ accuracy
(pls consider the
• No other (significant)
limitations!!!)
interference to
computer traffic (e.g
background software
activity)
• lack of adequate
amount of reference
data (directed
network
usage)
Open Source Intelligence Areas of Development
Future development —
Experiment Scope
• Greater reference data
– number of persons
– duration of network usage
– mixed data with some other subjects
• Combine with logs
(apply the results to log analisis fileld and
enhance accuracy)
Open Source Intelligence Areas of Development
Future Developments —
Combined approach
•
•
•
•
•
•
•
•
Hidden Markov model
Gaussian mixture models
Fuzzy Logic
Artificial Neural Networks
Data Mining
Decision Trees
Graph Theory
etc.
Open Source Intelligence Areas of Development
Related documents