Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Toppling the Stack: Practical Outlier Detection...

David J. Bianco
April 28, 2017
Technology
2
510

Toppling the Stack: Practical Outlier Detection for Threat Hunters

[As presented at x33fcon 2017 (x33fcon.com)]

David J. Bianco

April 28, 2017
Tweet

More Decks by David J. Bianco

See All by David J. Bianco
Generative AI in Cybersecurity: Rise of the Machines?
davidjbianco
0
40
Trust Unearned? Evaluating CA Trustworthiness Across 5 Billion Certificates
davidjbianco
0
200
Five Lies & a Truth: Attacking the Defender's Dilemma
davidjbianco
0
67
Five Lies and a Truth: Attacking the Defender's Dilemma
davidjbianco
0
300
Developers: What Your Security Team Wishes You Knew (And It's Not Secure Coding!)
davidjbianco
0
130
Raising the Tide: Driving Improvement in Security by Being a Good Human
davidjbianco
0
41
Evolving the Hunt: A Case Study in Improving a Mature Hunt Program
davidjbianco
0
970
Quality Over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
1
390
Quality over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
0
280

Other Decks in Technology

See All in Technology
AI時代のデータセンターネットワーク
lycorptech_jp
PRO
1
280
日本版とグローバル版のモバイルアプリ統合の開発の裏側と今後の展望
miichan
1
120
生成AIのガバナンスの全体像と現実解
fnifni
1
180
ゼロから創る横断SREチーム 挑戦と進化の軌跡
rvirus0817
2
260
なぜCodeceptJSを選んだか
goataka
0
160
株式会社ログラス − エンジニア向け会社説明資料 / Loglass Comapany Deck for Engineer
loglass2019
3
31k
watsonx.ai Dojo #5 ファインチューニングとInstructLAB
oniak3ibm
PRO
0
160
NW-JAWS #14 re:Invent 2024(予選落ち含)で 発表された推しアップデートについて
nagisa53
0
250
KubeCon NA 2024 Recap / Running WebAssembly (Wasm) Workloads Side-by-Side with Container Workloads
z63d
1
240
PHPからGoへのマイグレーション for DMMアフィリエイト
yabakokobayashi
1
160
CustomCopを使ってMongoidのコーディングルールを整えてみた
jinoketani
0
220
サイボウズフロントエンドエキスパートチームについて / FrontendExpert Team
cybozuinsideout
PRO
5
38k

Featured

See All Featured
Rails Girls Zürich Keynote
gr2m
94
13k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
2
170
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
Intergalactic Javascript Robots from Outer Space
tanoku
270
27k
Optimising Largest Contentful Paint
csswizardry
33
3k
Building an army of robots
kneath
302
44k
Designing on Purpose - Digital PM Summit 2013
jponch
116
7k
VelocityConf: Rendering Performance Case Studies
addyosmani
326
24k
A designer walks into a library…
pauljervisheath
204
24k
GraphQLの誤解/rethinking-graphql
sonatard
67
10k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.9k
The Cost Of JavaScript in 2023
addyosmani
45
7k

Transcript

  1. None

  2. “ ” THE BLUE TEAM EDITION

  3. “ ” THE RED TEAM EDITION

  4. ... okay, but because you said that, we’re breaking up.

    https://xkcd.com/539
  5. None

  6. Least-Commonly Accessed Files Dataset: CERT/CC Insider Threat Dataset, http://www.cert.org/insider-threat/tools/

  7. SQL SELECT cs_user_agent, count(*) as cnt FROM proxy WHERE […]

    GROUP BY cs_user_agent ORDER BY cnt ASC LIMIT 100 Splunk index=proxy method=POST status=200 | stats count by cs_user_agent | sort +count | head 100 Python # Using the ‘pandas’ module and DataFrames print proxy_df.value_counts(by=“cs_user_agent”, sort=True, ascending=True).head(100)

  8. • • • • • • • “I’ve never seen

    this service on any of my 100,000+ systems before. That’s pretty suspicious.”

  9. http://skepdic.com/graphics/elvistoast.jpg

  10. None

  11. import plotly.offline as pyo trace = go.Scattergl( x=points_x, y=points_y, mode='markers'

    ) data = [trace] pyo.iplot(dict(data=data)) Basic scatter plot: <= 6 LOC

  12. • • • • • • “Most users don’t change

    upload habits often, so benign activity should fall close to the ‘no change’ trend line.”
  13. None

  14. import plotly.offline as pyo data = [ go.Box( y=shells["command_line_length"], boxpoints='all’

    ) ] layout = go.Layout( title="Command Line Lengths for Shell Processes" ) pyo.iplot(dict(data=data, layout=layout)) Basic box plot: <= 7 LOC

  15. • • • • • “I have no idea what’s

    normal for this column of numbers, let alone whether there are any outliers.”

  16. You have to be careful doing this. Sometimes, when you

    push the whisker down, dynamite explodes. https://xkcd.com/1798

  17. A form of unsupervised machine learning. Iteratively split dataset on

    random dimensions and their values until you can’t split anymore. This is a “tree”. Do this several times to grow the tree into a “forest”. Average depth across all trees for each point reflects “outlierness”. http://cs.nju.edu.cn/zhouzh/zhouzh.files/publication/icdm08b.pdf

  18. https://github.com/DavidJBianco/Clearcut

  19. • • • • • “Which of these HTTP log

    entries are most unlike the others?”

  20. When it comes to outlier detection, you’ve got options. Don’t

    be afraid to play around a bit and see what works best for you!

  21. “ ”