Visualizing Automatically Detected Periodic Network Activity

Malware frequently leaves periodic signals in network logs, but these signals are easily drowned out by non-malicious periodic network activity, such as software updates and other polling activity. This paper describes a novel algorithm based on Discrete Fourier Transforms capable of detecting multi...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE Symposium on Visualization for Cyber Security (VIZSEC) (Online) S. 1 - 8
Hauptverfasser: Gove, Robert, Deason, Lauren
Format: Tagungsbericht
Sprache:Englisch
Veröffentlicht: IEEE 01.10.2018
Schlagworte:
Data visualization
Discrete Fourier transforms
Human-centered computing-Visualization-Visualization application domains-Information visualization
Human-centered computing-Visualization-Visualization design and evaluation methods
Malware
Microsoft Windows
Security and privacy-Intrusion/anomaly detection and malware mitigation-Malware and its mitigation
Time series analysis
Time-frequency analysis
ISSN:2639-4332
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Malware frequently leaves periodic signals in network logs, but these signals are easily drowned out by non-malicious periodic network activity, such as software updates and other polling activity. This paper describes a novel algorithm based on Discrete Fourier Transforms capable of detecting multiple distinct period lengths in a given time series. We pair the output of this algorithm with aggregation summary tables that give users information scent about which detections are worth investigating based on the metadata of the log events rather than the periodic signal. A visualization of selected detections enables users to see all detected period lengths per entity, and compare detections between entities to check for coordinated activity. We evaluate our approach on real-world netflow and DNS data from a large organization, demonstrating how to successfully find malicious periodic activity in a large pool of noise and non-malicious periodic activity.
ISSN:2639-4332
DOI:10.1109/VIZSEC.2018.8709177