[Bro] Covert Channel Detection Framework in Bro (BroCCaDe)

Michael Shirk shirkdog.bsd at gmail.com
Fri Nov 17 11:30:24 PST 2017 

This looks like a good candidate for a bro-pkg so users can test and
submit feedback :)

On Fri, Nov 17, 2017 at 2:01 PM, Mike Dopheide <dopheide at gmail.com> wrote:
> There is a little prior work along these lines, see the second half of this
> talk:
>
> https://www.youtube.com/watch?v=OycQ1aiNqEM
>
> It's pretty resource intense.  I don't speak for the development team, but
> it kinda felt like the majority of the Bro community didn't think it was
> that high of a priority.  At least not for the University and un-classified
> lab communities that I talk to.  :)  For Enterprise though, I could see them
> potentially wanting to fund some additional work.
>
> -Dop
>
> On Fri, Nov 17, 2017 at 5:28 AM, Hendra Gunadi
> <Hendra.Gunadi at murdoch.edu.au> wrote:
>>
>> Hi All,
>>
>>
>> We are from Murdoch University in Perth, exploring the opportunity to
>> integrate covert channel detection
>>
>> into an open source IDS. After looking/comparing around some IDS, we
>> decided to work with Bro.
>>
>> Our framework is implemented as a collection of Plugins:
>>
>> 1. Plugin to do a feature extraction such as packets' inter-arrival time
>>
>> 2. Analysis plugin which implements some analysis methods, such as KS
>> test, Entropy, CCE, Multi Modality,
>>
>>     Autocorrelation, and Regularity analysis.
>>
>> 3. Classifier plugin to classify whether a flow contains covert
>> communication or not. Currently the only
>>
>>     classifier we implemented is C4.5 decision tree classifier.
>>
>> 4. Training plugin to train model for the C4.5 decision tree classifier.
>>
>>
>> If you are interested, please have a look into our project's website and
>> let us know what you think
>>
>> http://www.it.murdoch.edu.au/nsrg/cc_detection_ids/introduction.html
>>
>>
>> Regards,
>>
>> Hendra
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
Michael Shirk
Daemon Security, Inc.
http://www.daemon-security.com

More information about the Bro mailing list