• 主题
高级搜索  >
历史搜索 清空历史
首页> 外文会议>International Conference on Cyber Conflict >Machine Learnin?-based Detection of CC Channels with a Focus on the Locked Shields Cyber Defense Exercise
【24h】

Machine Learnin?-based Detection of CC Channels with a Focus on the Locked Shields Cyber Defense Exercise

机译:机器学习?基于C&C频道的检测,重点在锁定的屏蔽网络防御运动上

获取原文
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

The diversity of applications and devices in enterprise networks combined with large traffic volumes make it inherently challenging to quickly identify malicious traffic. When incidents occur, emergency response teams often lose precious time in reverse-engineering the network topology and configuration before they can focus on malicious activities and digital forensics. In this paper, we present a system that quickly and reliably identifies Command and Control (C&C) channels without prior network knowledge. The key idea is to train a classifier using network traffic from attacks that happened in the past and use it to identify C&C connections in the current traffic of other networks. Specifically, we leverage the fact that - while benign traffic differs - malicious traffic bears similarities across networks (e.g., devices participating in a botnet act in a similar manner irrespective of their location). To ensure performance and scalability, we use a random forest classifier based on a set of computationally-efficient features tailored to the detection of C&C traffic. In order to prevent attackers from outwitting our classifier, we tune the model parameters to maximize robustness. We measure high resilience against possible attacks - e.g., attempts to camouflaging C&C flows as benign traffic - and packet loss during the inference. We have implemented our approach and we show its practicality on a real use case: Locked Shields, the world's largest cyber defense exercise. In Locked Shields, defenders have limited resources to protect a large, heterogeneous network against unknown attacks. Using recorded datasets (from 2017 and 2018) from a participating team, we show that our classifier is able to identify C&C channels with 99% precision and over 90% recall in near real time and with realistic resource requirements. If the team had used our system in 2018, it would have discovered 10 out of 12 C&C servers in the first hours of the exercise.
机译:企业网络中的应用程序和设备的多样性与大型交通量相结合,使其本身挑战了快速识别恶意流量。发生事件时,应急响应团队经常在逆向工程网络拓扑和配置中丢失宝贵的时间,然后才能专注于恶意活动和数字取证。在本文中,我们展示了一个系统快速可靠地识别的系统,而无需现有网络知识的命令和控制(C&C)渠道。关键的想法是使用过去发生的攻击的网络流量训练分类器,并使用它来识别其他网络的当前流量中的C&C连接。具体来说,我们利用了这一事实 - 虽然良性交通不同 - 恶意交易跨网络存在相似性(例如,与他们的位置不同的方式以类似的方式参与僵尸网络行为的设备)。为确保性能和可扩展性,我们使用随机林类分类器根据一组计算的有效功能,以检测到C&C流量。为了防止攻击者挖掘我们的分类器,我们调整模型参数以最大限度地提高鲁棒性。我们衡量可能攻击的高弹性 - 例如,试图伪装C&C在推理期间的良性流量和数据包丢失。我们已经实施了我们的方法,我们在真正用例上展示了它的实用性:锁定盾牌,世界上最大的网络防御运动。在锁定的屏蔽中,防守者有限的资源来保护大型异构网络免受未知攻击。使用录制的数据集(从2017年和2018年)来自参与团队,我们表明我们的分类器能够识别C&C频道,以99%的精度,近实时调用超过90%,并具有现实的资源要求。如果该团队于2018年使用我们的系统,则在锻炼的第一个小时内将发现12个C&C服务器中的10个。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号