可视化自动检测到的周期性网络活动

2018 IEEE Symposium on Visualization for Cyber Security (VizSec) Pub Date : 2018-09-14 DOI:10.1109/VIZSEC.2018.8709177

R. Gove, Lauren Deason

{"title":"可视化自动检测到的周期性网络活动","authors":"R. Gove, Lauren Deason","doi":"10.1109/VIZSEC.2018.8709177","DOIUrl":null,"url":null,"abstract":"Malware frequently leaves periodic signals in network logs, but these signals are easily drowned out by non-malicious periodic network activity, such as software updates and other polling activity. This paper describes a novel algorithm based on Discrete Fourier Transforms capable of detecting multiple distinct period lengths in a given time series. We pair the output of this algorithm with aggregation summary tables that give users information scent about which detections are worth investigating based on the metadata of the log events rather than the periodic signal. A visualization of selected detections enables users to see all detected period lengths per entity, and compare detections between entities to check for coordinated activity. We evaluate our approach on real-world netflow and DNS data from a large organization, demonstrating how to successfully find malicious periodic activity in a large pool of noise and non-malicious periodic activity.","PeriodicalId":412565,"journal":{"name":"2018 IEEE Symposium on Visualization for Cyber Security (VizSec)","volume":"18 4 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-09-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":"{\"title\":\"Visualizing Automatically Detected Periodic Network Activity\",\"authors\":\"R. Gove, Lauren Deason\",\"doi\":\"10.1109/VIZSEC.2018.8709177\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Malware frequently leaves periodic signals in network logs, but these signals are easily drowned out by non-malicious periodic network activity, such as software updates and other polling activity. This paper describes a novel algorithm based on Discrete Fourier Transforms capable of detecting multiple distinct period lengths in a given time series. We pair the output of this algorithm with aggregation summary tables that give users information scent about which detections are worth investigating based on the metadata of the log events rather than the periodic signal. A visualization of selected detections enables users to see all detected period lengths per entity, and compare detections between entities to check for coordinated activity. We evaluate our approach on real-world netflow and DNS data from a large organization, demonstrating how to successfully find malicious periodic activity in a large pool of noise and non-malicious periodic activity.\",\"PeriodicalId\":412565,\"journal\":{\"name\":\"2018 IEEE Symposium on Visualization for Cyber Security (VizSec)\",\"volume\":\"18 4 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-09-14\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"12\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2018 IEEE Symposium on Visualization for Cyber Security (VizSec)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/VIZSEC.2018.8709177\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 IEEE Symposium on Visualization for Cyber Security (VizSec)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/VIZSEC.2018.8709177","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 12

摘要

恶意软件经常在网络日志中留下周期性信号，但这些信号很容易被非恶意的周期性网络活动(如软件更新和其他轮询活动)淹没。本文提出了一种基于离散傅里叶变换的新算法，该算法能够检测给定时间序列中的多个不同周期长度。我们将该算法的输出与聚合汇总表配对，聚合汇总表根据日志事件的元数据而不是周期信号，为用户提供关于哪些检测值得调查的信息。所选检测的可视化使用户能够看到每个实体检测到的所有周期长度，并比较实体之间的检测以检查协调的活动。我们在一个大型组织的真实netflow和DNS数据上评估了我们的方法，演示了如何在大量噪音和非恶意周期性活动中成功发现恶意周期性活动。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

Visualizing Automatically Detected Periodic Network Activity

Malware frequently leaves periodic signals in network logs, but these signals are easily drowned out by non-malicious periodic network activity, such as software updates and other polling activity. This paper describes a novel algorithm based on Discrete Fourier Transforms capable of detecting multiple distinct period lengths in a given time series. We pair the output of this algorithm with aggregation summary tables that give users information scent about which detections are worth investigating based on the metadata of the log events rather than the periodic signal. A visualization of selected detections enables users to see all detected period lengths per entity, and compare detections between entities to check for coordinated activity. We evaluate our approach on real-world netflow and DNS data from a large organization, demonstrating how to successfully find malicious periodic activity in a large pool of noise and non-malicious periodic activity.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2018 IEEE Symposium on Visualization for Cyber Security (VizSec)

自引率

0.00%

发文量

期刊最新文献

Visual Analytics for Root DNS Data TAPESTRY: Visualizing Interwoven Identities for Trust Provenance Visual-Interactive Identification of Anomalous IP-Block Behavior Using Geo-IP Data ROPMate: Visually Assisting the Creation of ROP-based Exploits User Behavior Map: Visual Exploration for Cyber Security Session Data