[Bro] Covert Channel Detection Framework in Bro (BroCCaDe)

Mike Dopheide dopheide at gmail.com
Fri Nov 17 11:01:51 PST 2017

There is a little prior work along these lines, see the second half of this


It's pretty resource intense.  I don't speak for the development team, but
it kinda felt like the majority of the Bro community didn't think it was
that high of a priority.  At least not for the University and un-classified
lab communities that I talk to.  :)  For Enterprise though, I could see
them potentially wanting to fund some additional work.


On Fri, Nov 17, 2017 at 5:28 AM, Hendra Gunadi <Hendra.Gunadi at murdoch.edu.au
> wrote:

> Hi All,
> We are from Murdoch University in Perth, exploring the opportunity to
> integrate covert channel detection
> into an open source IDS. After looking/comparing around some IDS, we
> decided to work with Bro.
> Our framework is implemented as a collection of Plugins:
> 1. Plugin to do a feature extraction such as packets' inter-arrival time
> 2. Analysis plugin which implements some analysis methods, such as KS
> test, Entropy, CCE, Multi Modality,
>     Autocorrelation, and Regularity analysis.
> 3. Classifier plugin to classify whether a flow contains covert
> communication or not. Currently the only
>     classifier we implemented is C4.5 decision tree classifier.
> 4. Training plugin to train model for the C4.5 decision tree classifier.
> If you are interested, please have a look into our project's website and
> let us know what you think
> http://www.it.murdoch.edu.au/nsrg/cc_detection_ids/introduction.html
> Regards,
> Hendra
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171117/e8c282e4/attachment.html 

More information about the Bro mailing list