[Bro] Covert Channel Detection Framework in Bro (BroCCaDe)
Hendra.Gunadi at murdoch.edu.au
Fri Nov 17 03:28:15 PST 2017
We are from Murdoch University in Perth, exploring the opportunity to
integrate covert channel detection
into an open source IDS. After looking/comparing around some IDS, we
decided to work with Bro.
Our framework is implemented as a collection of Plugins:
1. Plugin to do a feature extraction such as packets' inter-arrival time
2. Analysis plugin which implements some analysis methods, such as KS
test, Entropy, CCE, Multi Modality,
Autocorrelation, and Regularity analysis.
3. Classifier plugin to classify whether a flow contains covert
communication or not. Currently the only
classifier we implemented is C4.5 decision tree classifier.
4. Training plugin to train model for the C4.5 decision tree classifier.
If you are interested, please have a look into our project's website and
let us know what you think
More information about the Bro