Latest COVID-19 Information for Purdue University

The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Kevin Bowers - RSA

Students: Spring 2022, unless noted otherwise, sessions will be virtual on Zoom.

You can hack, but you can't hide: Using log analysis to detect APTs

Nov 12, 2014

Download: Video Icon MP4 Video Size: 98.4MB  
Watch on Youtube Watch on YouTube


In my talk I will be describing new techniques developed at RSA Labs to analyze massive log data commonly collected by large enterprises to detect and identify suspicious activity. Unlike common signature-based detection mechanisms used today, our approach leverages behavior patterns that persist across different infection vectors, and is thus more resilient to attacker evasion. Moreover, our techniques are unique in their ability to detect stealthy campaigns in which only a single host sporadically communicates with malicious sites controlled by attackers. Through effective data reduction and algorithms inspired from the graph-theoretic belief propagation model we identify the most suspicious domains contacted by hosts in an organization in different stages of an APT campaign (e.g., initial delivery, infection, command-and-control, etc.).

We demonstrate the effectiveness of our techniques against two datasets. The first, a public dataset made available by Los Alamos National Laboratory includes the simulations of APT campaigns overlaid on their DNS traffic. We successfully detect 94% of the campaigns with only a 1% false positive rate. We then apply the techniques to 38TB of web proxy logs collected by a large enterprise to discover hundreds of malicious domains that had bypassed other installed security tools.

About the Speaker

Kevin Bowers
Kevin Bowers is a Senior Research Scientist and Manager of RSA Laboratories, the security research group at RSA, the Security Division of EMC. He holds a B.S. in Electrical, Computer and Systems Engineering and Computer Science, and a B.S. in Mathematics, both from Rensselaer Polytechnic Institute, as well as an M.S. in Computer Science from Carnegie Mellon University. Kevin has been with RSA Labs since 2007 and his current research is focused on user authentication, breach resilience, and data science for security applications.

Kevin’s publication history covers many diverse topics including numerous cryptographic protocols for remote verification of integrity and resilience, time stamping, secure chain-of-custody, as well as advanced authentication techniques and steganography.

Ways to Watch


Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!