[Bro] Covert Channel Detection Framework in Bro (BroCCaDe)

[Mike Dopheide]

There is a little prior work along these lines, see the second half of this
talk:

https://www.youtube.com/watch?v=OycQ1aiNqEM

It's pretty resource intense.  I don't speak for the development team, but
it kinda felt like the majority of the Bro community didn't think it was
that high of a priority.  At least not for the University and un-classified
lab communities that I talk to.  :)  For Enterprise though, I could see
them potentially wanting to fund some additional work.

-Dop

On Fri, Nov 17, 2017 at 5:28 AM, Hendra Gunadi <Hendra.Gunadi at murdoch.edu.au
> wrote:

> Hi All,
>
>
> We are from Murdoch University in Perth, exploring the opportunity to
> integrate covert channel detection
>
> into an open source IDS. After looking/comparing around some IDS, we
> decided to work with Bro.
>
> Our framework is implemented as a collection of Plugins:
>
> 1. Plugin to do a feature extraction such as packets' inter-arrival time
>
> 2. Analysis plugin which implements some analysis methods, such as KS
> test, Entropy, CCE, Multi Modality,
>
>     Autocorrelation, and Regularity analysis.
>
> 3. Classifier plugin to classify whether a flow contains covert
> communication or not. Currently the only
>
>     classifier we implemented is C4.5 decision tree classifier.
>
> 4. Training plugin to train model for the C4.5 decision tree classifier.
>
>
> If you are interested, please have a look into our project's website and
> let us know what you think
>
> http://www.it.murdoch.edu.au/nsrg/cc_detection_ids/introduction.html
>
>
> Regards,
>
> Hendra
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171117/e8c282e4/attachment.html