This event has ended. Visit the official site or create your own event on Sched.
Back To Schedule
Tuesday, January 12 • 11:30am - 12:00pm
InSightNG: A System for Improving the Analyst Workflow Using Behavior Based Host Detection

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
This presentation describes a scalable distributed system to identify hosts based on behavior rather than addresses. When hunting for particular threats or looking for anomalies in general, finding all the resources that could be a part of a malicious behavior can be challenging. Finding as many network flows as possible that tie with the threat can be very time consuming and prone to error depending on the sophistication of the attack. Even when an initial set of addresses has been discovered to be connected to a given threat, it can be difficult to track them across time since addresses can easily be spoofed. Tracking behavior can be more useful than tracking addresses since attack behavior is harder to modify than addresses, checksums, or email wording. We generate evolving statistical models per host, attribute all addresses seen from that host and automatically cluster hosts based on their statistical distance. The analyst can query the system with an address seen at a given timestamp to traceback the threat to its origin in time and location (geolocation or local subnet), other addresses it used, other hosts it may have potentially compromised and C2 IP addresses it communicated with etc. since all flow data is tied to a unique identifier rather than an IP or MAC address. Having a knowledge system that builds and keeps track of statistical models per-host in real-time not only can automate time-consuming parts of the analyst workflow, improve accuracy, reduce missed events and discover secondary threats but also proactively detect anomalies, improve damage assessment and find compromised devices in the network. Furthermore, with adequate amount of training data the system can be trained to proactively look for threats of known signatures and anomalies in real-time. This information can not only be used for threat hunting and anomaly detection but also assess risk to an enterprise to improve threat and risk modeling.

Attendees Will Learn:
​​​​The attendees will learn new developments in tracking host behavior. We will discuss the development of network and statistical models to create per-host models that will be used to uniquely identify hosts when their addresses are spoofed. We present the design decisions for the models and how they can be used to improve the analyst workflow in novel ways.

avatar for Angel Kodituwakku

Angel Kodituwakku

PhD candidate Computer Engineering, concentrating in Cybersecurity, The University of Tennessee, Knoxville
Angel Kodituwakku is currently a PhD candidate in Computer Engineering with a concentration in Cybersecurity at the University of Tennessee, Knoxville. He served as a Research Associate for two years on a National Science Foundation funded project. He received his MS in Computer Engineering... Read More →
avatar for Eboni Thamavong

Eboni Thamavong

Lead Associate - Commercial Cyber Team, Booz Allen Hamilton
Eboni Thamavong has worn many hats throughout her career and is at the forefront of transformation in cybersecurity operations, analysis, and strategy. She is known for identifying areas for development and growth to move organizations forward. Ms. Thamavong is known for her insights... Read More →

Tuesday January 12, 2021 11:30am - 12:00pm EST