Emily Gray
Two Six Technologies,
Chae Clark
Two Six Technologies,
and
Robert Gove
Two Six Technologies
Automatic Cyber Attack Campaign Detection Using Network Traffic Data (pdf)
Threat detectors, ZEEK/BRO logs, incident reports, and the like identify and describe single events. Cyber attacks as a whole comprise many such events, and a fuller and more detailed understanding of an attack can be achieved when looking at multiple relevant, but not necessarily obviously connected, pieces of data at the same time. The motivation for this project is to model and detect these related pieces of data.
This work attempts campaign detection via determining whether pairs of logs are from the same attack. The primary mechanism is pair-wise comparison, but in aggregate this can be used to identify multiple data points as being from the same cyber event. Since cyber log data can come in many different formats, we employ a vectorization procedure to enable the use of multiple heterogeneous log types in the same dataset. Detecting campaigns, and presenting the findings to cyber analysts, can improve the quality and speed of their analysis.