Detecting compromised hosts in networks is an important cyber security challenge. Investing in defenses on the perimeter of the network is key to prevent compromises within the network. However, hosts are compromised at an alarming rate due to security breaches and insider threats. It is becoming impossible for network security analysts to keep up with the barrage of data to manually detect compromises. Automating the detection of compromises and providing decision support play a key role in optimizing the analyst's workflow. Various statistical modeling techniques have been proposed to assist analysts with detecting compromised hosts by examining their behavior on the network at flow level. But most of this research lacks real datasets that reflect modern attacks, preventing their use in real-world scenarios. Literature tends to use benchmark data sets that are simulated and outdated.
In this presentation, we discuss the generation of a new dataset based on recent, real network data from global research and education that is fused with actual threat lists and contextual information. This augmented data set provides ground truth in training supervised statistical models. We describe the development of a statistical model based on deep neural networks. Using these cutting-edge modeling techniques, we were able to detect compromised hosts in a network using the InSight2 platform at a high accuracy and low false positive rate. Compared to existing statistical models, our model is readily deployable in wide range of networks, since it has been developed using real-world data. We present case studies based on its deployments at academic institutions and explore its impact in real-world applications from both academic and industrial viewpoints. These case studies use several visualization techniques to show the initial detection, exploration of the source of the attack, command and control centers, and lateral movement of cyber security threats. This process generates further data that can be used to improve the accuracy of the model as the analyst documents and categorizes the threat after Investigation.
Attendees Will Learn: - Latest developments in statistical modeling used for threat detection
- How deep learning can be used for better accuracy
- Complementing and improving the analyst workflow
