• 主题
高级搜索  >
历史搜索 清空历史
首页> 外文会议>International Conference on Cyber Conflict >Machine Learninģ-based Detection of CC Channels with a Focus on the Locked Shields Cyber Defense Exercise
【24h】

Machine Learninģ-based Detection of CC Channels with a Focus on the Locked Shields Cyber Defense Exercise

机译:基于机器学习的C&C通道检测,重点是锁定盾牌网络防御演习

获取原文
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

The diversity of applications and devices in enterprise networks combined with large traffic volumes make it inherently challenging to quickly identify malicious traffic. When incidents occur, emergency response teams often lose precious time in reverse-engineering the network topology and configuration before they can focus on malicious activities and digital forensics. In this paper, we present a system that quickly and reliably identifies Command and Control (C&C) channels without prior network knowledge. The key idea is to train a classifier using network traffic from attacks that happened in the past and use it to identify C&C connections in the current traffic of other networks. Specifically, we leverage the fact that - while benign traffic differs - malicious traffic bears similarities across networks (e.g., devices participating in a botnet act in a similar manner irrespective of their location). To ensure performance and scalability, we use a random forest classifier based on a set of computationally-efficient features tailored to the detection of C&C traffic. In order to prevent attackers from outwitting our classifier, we tune the model parameters to maximize robustness. We measure high resilience against possible attacks - e.g., attempts to camouflaging C&C flows as benign traffic - and packet loss during the inference. We have implemented our approach and we show its practicality on a real use case: Locked Shields, the world's largest cyber defense exercise. In Locked Shields, defenders have limited resources to protect a large, heterogeneous network against unknown attacks. Using recorded datasets (from 2017 and 2018) from a participating team, we show that our classifier is able to identify C&C channels with 99% precision and over 90% recall in near real time and with realistic resource requirements. If the team had used our system in 2018, it would have discovered 10 out of 12 C&C servers in the first hours of the exercise.
机译:企业网络中应用程序和设备的多样性以及巨大的流量使快速识别恶意流量固有地具有挑战性。发生事件时,紧急响应团队在专注于恶意活动和数字取证之前,常常会浪费宝贵的时间对网络拓扑和配置进行逆向工程。在本文中,我们介绍了一种无需事先具备网络知识即可快速可靠地识别命令与控制(C&C)通道的系统。关键思想是使用来自过去发生的攻击的网络流量来训练分类器,并使用它来识别其他网络当前流量中的C&C连接。具体来说,我们利用以下事实:-良性流量有所不同-恶意流量在整个网络中具有相似性(例如,参与僵尸网络的设备以类似的方式行动,而不管其位置如何)。为了确保性能和可伸缩性,我们基于针对C&C流量检测量身定制的一组计算有效功能使用随机森林分类器。为了防止攻击者超越我们的分类器,我们调整模型参数以最大程度地提高鲁棒性。我们会在抵御可能的攻击(例如尝试将C&C流量伪装成良性流量)以及推断期间丢包的情况下,衡量其高弹性。我们已经实施了我们的方法,并在一个实际用例上展示了它的实用性:Locked Shields,这是世界上最大的网络防御演习。在Locked Shields中,防御者拥有有限的资源来保护大型异构网络免受未知攻击。使用参与团队的已记录数据集(2017年和2018年),我们证明了我们的分类器能够以近乎实时的实时且符合现实的资源需求,以99%的精度和90%以上的召回率识别C&C渠道。如果团队在2018年使用了我们的系统,那么在练习的最初几个小时中,它将发现12台C&C服务器中的10台。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号