[Bro] Covert Channel Detection Framework in Bro (BroCCaDe)

Hendra Gunadi Hendra.Gunadi at murdoch.edu.au
Sun Nov 19 18:41:24 PST 2017 

Hi,


@Michael Shirk: That sounds like a good idea, thanks for letting us 
know. We'll work on it :)

@Dop: Thanks for the feedback. Yeah we saw this video and contacted Ross 
for some pointers

   on how he did it. But we were not really aware of the research outcome


- Hendra


On 18/11/17 03:30, Michael Shirk wrote:
> This looks like a good candidate for a bro-pkg so users can test and
> submit feedback :)
>
> On Fri, Nov 17, 2017 at 2:01 PM, Mike Dopheide <dopheide at gmail.com> wrote:
>> There is a little prior work along these lines, see the second half of this
>> talk:
>>
>> https://clicktime.symantec.com/a/1/OiOr-JQuH-DXlzUjeFllAFwjf_vTQOHO-IJcheQecjA=?d=Ias3MDtt5fNP1Vh2OVzBed_cZi9R6Je3GPjRkwhZwimEiYQuqGAUjs9vP4uazbdBN_U_0ftctOXEzfF2rRMA-7cNSfvCOTPHGn5UuZbqWX3EbQH9d-qW1JdNf6wu5o7xDrOa_ykihtOm2nIAW1_KIPu0CI_cPxDqppYcydHX2Hm0N-4IncQbwPOF0TPzF8fijKk7TkPvFxLPBk62_aTrwU_BicRK6geepgyCD8A8aqc59qSSzOPmbwasRNgdoOEeIKL22UKZ7qPyEwdwQgak9KeQPADIIN8CFm2SBYWd7ZPYuEka13qv9wD058GX_8VNo1u7qSwkU7v0vqMPDT2r4E5t8KaJn7UzQ57ZyPZOSs5nMtMUm1YF2RwcElilmp6XN49oMeLpQAOkgLRFUKJq1uNdWqWwaHlhNBa6uC5mfMSZTf6a8SvagxOijfE%3D&u=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DOycQ1aiNqEM
>>
>> It's pretty resource intense.  I don't speak for the development team, but
>> it kinda felt like the majority of the Bro community didn't think it was
>> that high of a priority.  At least not for the University and un-classified
>> lab communities that I talk to.  :)  For Enterprise though, I could see them
>> potentially wanting to fund some additional work.
>>
>> -Dop
>>
>> On Fri, Nov 17, 2017 at 5:28 AM, Hendra Gunadi
>> <Hendra.Gunadi at murdoch.edu.au> wrote:
>>> Hi All,
>>>
>>>
>>> We are from Murdoch University in Perth, exploring the opportunity to
>>> integrate covert channel detection
>>>
>>> into an open source IDS. After looking/comparing around some IDS, we
>>> decided to work with Bro.
>>>
>>> Our framework is implemented as a collection of Plugins:
>>>
>>> 1. Plugin to do a feature extraction such as packets' inter-arrival time
>>>
>>> 2. Analysis plugin which implements some analysis methods, such as KS
>>> test, Entropy, CCE, Multi Modality,
>>>
>>>      Autocorrelation, and Regularity analysis.
>>>
>>> 3. Classifier plugin to classify whether a flow contains covert
>>> communication or not. Currently the only
>>>
>>>      classifier we implemented is C4.5 decision tree classifier.
>>>
>>> 4. Training plugin to train model for the C4.5 decision tree classifier.
>>>
>>>
>>> If you are interested, please have a look into our project's website and
>>> let us know what you think
>>>
>>> http://www.it.murdoch.edu.au/nsrg/cc_detection_ids/introduction.html
>>>
>>>
>>> Regards,
>>>
>>> Hendra
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> https://clicktime.symantec.com/a/1/h8dJ04K2E7G-5RbN44Im-uA9D05p9DVutvnoYOFcMdA=?d=Ias3MDtt5fNP1Vh2OVzBed_cZi9R6Je3GPjRkwhZwimEiYQuqGAUjs9vP4uazbdBN_U_0ftctOXEzfF2rRMA-7cNSfvCOTPHGn5UuZbqWX3EbQH9d-qW1JdNf6wu5o7xDrOa_ykihtOm2nIAW1_KIPu0CI_cPxDqppYcydHX2Hm0N-4IncQbwPOF0TPzF8fijKk7TkPvFxLPBk62_aTrwU_BicRK6geepgyCD8A8aqc59qSSzOPmbwasRNgdoOEeIKL22UKZ7qPyEwdwQgak9KeQPADIIN8CFm2SBYWd7ZPYuEka13qv9wD058GX_8VNo1u7qSwkU7v0vqMPDT2r4E5t8KaJn7UzQ57ZyPZOSs5nMtMUm1YF2RwcElilmp6XN49oMeLpQAOkgLRFUKJq1uNdWqWwaHlhNBa6uC5mfMSZTf6a8SvagxOijfE%3D&u=http%3A%2F%2Fmailman.ICSI.Berkeley.EDU%2Fmailman%2Flistinfo%2Fbro
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> https://clicktime.symantec.com/a/1/h8dJ04K2E7G-5RbN44Im-uA9D05p9DVutvnoYOFcMdA=?d=Ias3MDtt5fNP1Vh2OVzBed_cZi9R6Je3GPjRkwhZwimEiYQuqGAUjs9vP4uazbdBN_U_0ftctOXEzfF2rRMA-7cNSfvCOTPHGn5UuZbqWX3EbQH9d-qW1JdNf6wu5o7xDrOa_ykihtOm2nIAW1_KIPu0CI_cPxDqppYcydHX2Hm0N-4IncQbwPOF0TPzF8fijKk7TkPvFxLPBk62_aTrwU_BicRK6geepgyCD8A8aqc59qSSzOPmbwasRNgdoOEeIKL22UKZ7qPyEwdwQgak9KeQPADIIN8CFm2SBYWd7ZPYuEka13qv9wD058GX_8VNo1u7qSwkU7v0vqMPDT2r4E5t8KaJn7UzQ57ZyPZOSs5nMtMUm1YF2RwcElilmp6XN49oMeLpQAOkgLRFUKJq1uNdWqWwaHlhNBa6uC5mfMSZTf6a8SvagxOijfE%3D&u=http%3A%2F%2Fmailman.ICSI.Berkeley.EDU%2Fmailman%2Flistinfo%2Fbro
>
>

More information about the Bro mailing list