Visualizing Automatically Detected Periodic Network Activity

Malware frequently leaves periodic signals in network logs, but these signals are easily drowned out by non-malicious periodic network activity, such as software updates and other polling activity. This paper describes a novel algorithm based on Discrete Fourier Transforms capable of detecting multi...

Celý popis

Uloženo v:
Podrobná bibliografie
Vydáno v:IEEE Symposium on Visualization for Cyber Security (VIZSEC) (Online) s. 1 - 8
Hlavní autoři: Gove, Robert, Deason, Lauren
Médium: Konferenční příspěvek
Jazyk:angličtina
Vydáno: IEEE 01.10.2018
Témata:
Data visualization
Discrete Fourier transforms
Human-centered computing-Visualization-Visualization application domains-Information visualization
Human-centered computing-Visualization-Visualization design and evaluation methods
Malware
Microsoft Windows
Security and privacy-Intrusion/anomaly detection and malware mitigation-Malware and its mitigation
Time series analysis
Time-frequency analysis
ISSN:2639-4332
On-line přístup:Získat plný text
Tagy: Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
Popis
Shrnutí:Malware frequently leaves periodic signals in network logs, but these signals are easily drowned out by non-malicious periodic network activity, such as software updates and other polling activity. This paper describes a novel algorithm based on Discrete Fourier Transforms capable of detecting multiple distinct period lengths in a given time series. We pair the output of this algorithm with aggregation summary tables that give users information scent about which detections are worth investigating based on the metadata of the log events rather than the periodic signal. A visualization of selected detections enables users to see all detected period lengths per entity, and compare detections between entities to check for coordinated activity. We evaluate our approach on real-world netflow and DNS data from a large organization, demonstrating how to successfully find malicious periodic activity in a large pool of noise and non-malicious periodic activity.
ISSN:2639-4332
DOI:10.1109/VIZSEC.2018.8709177