peima: harnessing power laws to detect · peima: harnessing power laws to detect malicious...
TRANSCRIPT
![Page 1: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/1.jpg)
![Page 2: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/2.jpg)
PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to
Intrusion Detection Traffic Analysis and BeyondStefan Prandl
![Page 3: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/3.jpg)
Who am I?
• Stefan Prandl, PhD Student, Curtin University
• From Perth, Western Australia
• Work on network security threat detection
3
![Page 4: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/4.jpg)
Who am I?
• Stefan Prandl, PhD Student, Curtin University
• From Perth, Western Australia
• Work on network security threat detection
Research Team:• Curtin University:
• Mihai Lazarescu• Duc-Son Pham• Sie Teng Soh
• Oklahoma State University:• Subhash Kak
4
![Page 5: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/5.jpg)
5
![Page 6: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/6.jpg)
6
![Page 7: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/7.jpg)
7
![Page 8: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/8.jpg)
What can we do?
8
![Page 9: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/9.jpg)
IDS Systems!
9
![Page 10: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/10.jpg)
Let AI solve our problems for us!
10
![Page 11: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/11.jpg)
Let AI solve our problems for us!…. Or not
11
![Page 12: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/12.jpg)
Introducing PEIMAProbability Engine to Identify Malicious Activity
12
![Page 13: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/13.jpg)
What can it do?
• Detects attacks within microseconds
• Accurate
• Uses only metadata
• No learning
13
![Page 14: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/14.jpg)
How?
14
![Page 15: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/15.jpg)
Power Law Probability Distributions
• Uses power law distributions
• Detects the “naturalness” of traffic
• Unnatural traffic is attack traffic!
15
![Page 16: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/16.jpg)
• Continuous power law distribution
• The one on which all others are based
• 80/20 principle
• Not as applicable as other power laws
Pareto Distribution
![Page 17: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/17.jpg)
Zipf’s Law
• Relates popularity to frequency
• Exponential decay
• Applies to all sorts of weird situations
0
10
20
30
40
50
60
70
80
90
100
1 2 3 4 5 6 7 8 9 10
Zipf's Law
17
![Page 18: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/18.jpg)
Benford’s Law
• Is a description of what the first digit of a number will be
• Never have to calculate it, it’s always the same.
• Used in detecting bank fraud for years
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
1 2 3 4 5 6 7 8 9
Benford's Law
18
![Page 19: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/19.jpg)
Network traffic is natural!
• So we can use power laws to detect “Fraud”, or in this case DoS/DDoS!
• Metadata follows various power laws!
• Just have to check if they match.
19
![Page 20: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/20.jpg)
20
![Page 21: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/21.jpg)
21
![Page 22: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/22.jpg)
22
![Page 23: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/23.jpg)
But wait, there’s more!
23
![Page 24: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/24.jpg)
This can be an IDS too!
• Attacks appear to be detectible too
• Any significant activity that changes a network is detectable
• Nmap, brute force, for example
24
![Page 25: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/25.jpg)
User Profiling
• Benford’s, Zipf’s laws are sensitive to changes in a system
• Can create unique profiles of users
• Are sensitive to when they change
• Thanks to power laws, are hard to fool too!
25
![Page 26: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/26.jpg)
How do I use this though?
• Is very lightweight
• Can run just as software
• Fully integratable into current systems
26
![Page 27: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/27.jpg)
PEIMA framework
• Gather metadata
• Create windows
• Perform analysis
• Make decisions
27
![Page 28: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/28.jpg)
Example One
• Running on a gateway
• Detects DoS/DDoS
• Configures Iptables to adapt
• Silent DoS mitigation
28
![Page 29: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/29.jpg)
Example Two
• Running alongside SIEM
• Performs analysis to assist SIEM alert generation
• More accurate alerts
• Better alert severity
29
![Page 30: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/30.jpg)
Conclusions
• Very early days for power law based analysis
• Possible that all kinds of computer metrics are power law compliant
• PEIMA solutions are coming.
30
![Page 31: PEIMA: Harnessing Power Laws to Detect · PEIMA: Harnessing Power Laws to Detect Malicious Activities from Denial of Service to Intrusion Detection Traffic Analysis and Beyond Stefan](https://reader034.vdocuments.us/reader034/viewer/2022050122/5f5293b7c1b8dd434144623a/html5/thumbnails/31.jpg)
A brand new and fast method of detecting DoS/DDoS attacks.
How to implement a PEIMA system.
A new, power law based way of analysing networks.
Black Hat Sound Bytes
Contact @ [email protected] you!