[Bro] Covert Channel Detection Framework in Bro (BroCCaDe)

Hendra Gunadi Hendra.Gunadi at murdoch.edu.au
Fri Nov 17 03:28:15 PST 2017

Hi All,

We are from Murdoch University in Perth, exploring the opportunity to 
integrate covert channel detection

into an open source IDS. After looking/comparing around some IDS, we 
decided to work with Bro.

Our framework is implemented as a collection of Plugins:

1. Plugin to do a feature extraction such as packets' inter-arrival time

2. Analysis plugin which implements some analysis methods, such as KS 
test, Entropy, CCE, Multi Modality,

    Autocorrelation, and Regularity analysis.

3. Classifier plugin to classify whether a flow contains covert 
communication or not. Currently the only

    classifier we implemented is C4.5 decision tree classifier.

4. Training plugin to train model for the C4.5 decision tree classifier.

If you are interested, please have a look into our project's website and 
let us know what you think




More information about the Bro mailing list