[Bro] Covert Channel Detection Framework in Bro (BroCCaDe)
dopheide at gmail.com
Fri Nov 17 11:01:51 PST 2017
There is a little prior work along these lines, see the second half of this
It's pretty resource intense. I don't speak for the development team, but
it kinda felt like the majority of the Bro community didn't think it was
that high of a priority. At least not for the University and un-classified
lab communities that I talk to. :) For Enterprise though, I could see
them potentially wanting to fund some additional work.
On Fri, Nov 17, 2017 at 5:28 AM, Hendra Gunadi <Hendra.Gunadi at murdoch.edu.au
> Hi All,
> We are from Murdoch University in Perth, exploring the opportunity to
> integrate covert channel detection
> into an open source IDS. After looking/comparing around some IDS, we
> decided to work with Bro.
> Our framework is implemented as a collection of Plugins:
> 1. Plugin to do a feature extraction such as packets' inter-arrival time
> 2. Analysis plugin which implements some analysis methods, such as KS
> test, Entropy, CCE, Multi Modality,
> Autocorrelation, and Regularity analysis.
> 3. Classifier plugin to classify whether a flow contains covert
> communication or not. Currently the only
> classifier we implemented is C4.5 decision tree classifier.
> 4. Training plugin to train model for the C4.5 decision tree classifier.
> If you are interested, please have a look into our project's website and
> let us know what you think
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro