Kevin Bowers - RSA
Nov 12, 2014
Download: MP4 Video
Watch in your Browser
Watch on YouTube
"You can hack, but you can't hide: Using log analysis to detect APTs"
In my talk I will be describing new techniques developed at RSA Labs to analyze massive log data commonly collected by large enterprises to detect and identify suspicious activity. Unlike common signature-based detection mechanisms used today, our approach leverages behavior patterns that persist across different infection vectors, and is thus more resilient to attacker evasion. Moreover, our techniques are unique in their ability to detect stealthy campaigns in which only a single host sporadically communicates with malicious sites controlled by attackers. Through effective data reduction and algorithms inspired from the graph-theoretic belief propagation model we identify the most suspicious domains contacted by hosts in an organization in different stages of an APT campaign (e.g., initial delivery, infection, command-and-control, etc.).
We demonstrate the effectiveness of our techniques against two datasets. The first, a public dataset made available by Los Alamos National Laboratory includes the simulations of APT campaigns overlaid on their DNS traffic. We successfully detect 94% of the campaigns with only a 1% false positive rate. We then apply the techniques to 38TB of web proxy logs collected by a large enterprise to discover hundreds of malicious domains that had bypassed other installed security tools.
About the Speaker
Kevin Bowers is a Senior Research Scientist and Manager of RSA Laboratories, the security research group at RSA, the Security Division of EMC. He holds a B.S. in Electrical, Computer and Systems Engineering and Computer Science, and a B.S. in Mathematics, both from Rensselaer Polytechnic Institute, as well as an M.S. in Computer Science from Carnegie Mellon University. Kevin has been with RSA Labs since 2007 and his current research is focused on user authentication, breach resilience, and data science for security applications.
Kevin’s publication history covers many diverse topics including numerous cryptographic protocols for remote verification of integrity and resilience, time stamping, secure chain-of-custody, as well as advanced authentication techniques and steganography.
Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M.
STEW G52 (Suite 050B), West Lafayette Campus. More information...