1. No category

Ascii visualisation

Bram C.M. Cappers
[email protected]
Jarke J. van Wijk
[email protected]
UNDERSTANDING THE CONTEXT OF
NETWORK TRAFFIC ALERTS
1
Advanced Persistent Threats
• Infiltration
• Expansion
• Sabotage
3 of 23
Advanced Persistent Threats
• Infiltration
• Expansion
• Sabotage
4 of 23
Advanced Persistent Threats
• Infiltration
• Expansion
• Sabotage
•
5 of 23
Espionage
Advanced Persistent Threats
• Infiltration
• Expansion
• Sabotage
•
•
6 of 23
Espionage
Disrupting services
Data
PCAP
7 of 23
Wireshark Protocol Analyzer
Multivariate data
Overview
Selections
Conversations
Attributes
8 of 23
Messages
+
Alerts
Exploration
• Alerts
• Messages
• Attributes
ip.src = 192.168.0.1
file = EvilText.txt
action = create
What?
When?
Where?
#Messages
Time
9 of 23
Exploration
• Alerts
• Messages
• Attributes
10 of 23
ip.src = 192.168.0.1
file = EvilText.txt
action = create
What?
When?
Where?
?
CoNTA
#Messages
• Alerts
• Messages
• Attributes
Time
?
Messages
11 of 23
CoNTA
#Messages
• Alerts
• Messages
• Attributes
Time
Messages
12 of 23
Context
Close
Valve
Close
Valve
Read
b.txt
Open
Valve
192.168.0.1
Open
Valve
Close
Valve
Open
Valve
Close
Valve
192.168.0.2
Read
a.txt
Close
Valve
Read
b.txt
Read
a.txt
Open
Valve
13 of 23
Read
a.txt
Read
a.txt
Close
Valve
Context
1.
Ay
Aj
2.
3.m1 m2 m3
time
Ax
14 of 23
Context - Profiling
#alerts
(what)
yA3
userAy yB2
(where)
yC1
Aj
Aj
time
time
Aj
Aj
1.
Aj
Aj
Aj
time
time
time
time
time
1
Mon
2
Tue
x
Ax
day
(when)
2.
3.m1 m2 m3
Aj
time
x
15 of 23
Aj
time
x
3
Wed
Context - Conversations
Open
Valve
16 of 23
Open
#1
Valve
Close
Read
Read
Valve
#2a.txt a.txt
Close
Valve
Close
Valve
Close
Valve
Open
Valve
Read
Read
b.txt
b.txt
Open
Valve
Close
Valve
Read
a.txt
Read
b.txt
Close
Valve
Open
Read
Valve
a.txt
Read
a.txt
Close
Valve
Attributes
#Messages - All traffic
• Alerts
• Messages
• Attributes
17 of 23
#Messages - Malicious
Mbtcp.register_uint16
1785
Mbtcp.register_uint16
400
6
6
0
0
Frame.time_epoch
3121
12
0
Frame.time_epoch
883
12
0
Frame.protocols
8000
Frame.protocols
528
3
3
0
0
Attributes
#Messages - All traffic
• Alerts
• Messages
• Attributes
18 of 23
#Alerts
#Messages - Malicious
Mbtcp.register_uint16
1785
Mbtcp.register_uint16
400
6
6
0
0
Frame.time_epoch
3121
12
0
Frame.time_epoch
883
12
0
Frame.protocols
8000
Frame.protocols
528
SMB2
3
3
0
0
Combining Results
19 of 23
Context
Conversations
Context
Conversations
Attributes
Profiles
Attributes
Profiles
Demo
open
close
overflow
20 of 23
Conclusions & Future Work
• Strengths
– Dynamic exploration, visual querying
– Save intermediate results
• Enrich data with new attributes
– Expressive through interaction
• Weaknesses
– Familiarity over scalability
How does the approach scale in larger environments?
WE NEED DATA!
21 of 23
Thanks for your attention!
Project:
More Info: www.bramcappers.nl
24 of 23
Industrial Partners:

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz