Embed Size (px)
Citation preview
ManaTI Web Assistance for the Threat Analyst,
supported by Domain Similarity
RAÚL BENÍTEZ [email protected]
Czech Technical University in Prague
SEBASTIÁN GARCÍA
@eldracote
https://github.com/stratosphereips/Manati
Stratosphere Projecta free software Intrusion Prevention System
Free protection for NGOs.
Stratosphere Data Analysis Project
https://stratosphereips.org/
Security and MachineLearning
@stratosphereips@StratosphereIPS
What and why?
ManaTI is a web-based system toanalyze, store and organize weblogs
faster in a threat analysis team.
ManaTI assists threat analysis team tomake their work faster and more
effective
ManaTI Purpose
Raúl Benítez NettoMaster Student in CTU
Member of Stratosphere Project
Web/App developer focus cyber-
security environment
Photographer aficionado
@Piuliss
Sebastian GarcíaFounder of Stratosphere Project
Creator of Stratosphere IPS
Researcher on cybersecurity using
Machine Learning
@eldracote
Basic knowledge
Weblogs
WHOIS information
IoCs (Indicators of Compromise)
The art of understanding thetraces of the malware in thenetwork logs.
Analysis ofMalwareBehavior inthe Network
Records ofconnections thatmalware perform toconnect with theirC&C
MalwareTraces
Threat Analyst work
Openweblogs
filtering andsearching
Consult DB ofReputationsindicators
Identifyingpatterns
IdentifyMalware
IncidentReport
Labels IoCs
Tools used byThreat Analysts
Logs Viewer
Log ParserApache Log ViewerLogExpert
Terminal/Console
VIM/VIWC (Word Count)AWKGREP
Big Data analysis
splunk.com
Problems inThreat Analysis
Huge amount of Data Labeling Data
Repetitive tasks Much Knowledgelost over time
It is difficult and tiresome
ManaTI principles
https://github.com/stratosphereips/Manati
Fast!
Provide Assistance
Storage Work in teams
GUI - Web
Machine LearningAlgorithm
API - Class Interface
ManaTI Workflow
ManaTI basic featuresand usability
Analysis Sessions andMulti-users
BasicInterface
GUI to vizualise weblogs files.Basic table to paginate, filterand search weblog data
Demo Basic Dynamic Table
WeblogsLabelling
It is the basic and more importantaction for a malware behavioranalyst. Detect malicious IoCs
Demo - Weblog labeling
Exporting Dynamic Table
Comments
History of changes
Third-partyintelligencetools
The threat analysts often use severalexternal services to know about theIoCs
Statistics andMetrics
See in real time theperfomance progress of theuser
ExternalModulesManaTI allows analysts tocreate their own scriptsand modules to increasethe number of labels orweblogs analyzed in aperiod of time
Sync with Database -Merging Labels
Weblog Merging Labels
WHOIS SimilarityDistance Algorithm
How similar are twodomains ?
WHOIS fields Domain A Domain B Distance
registrar’s name MARKMONITOR INC. MARKMONITOR IN 0.0
contact’s name. DNS Admin DomainAdministrator
13.0
org.’s name Google Inc. Facebook, Inc. 8.0
contacts emails [email protected]
[[email protected]] 11.0
zip code 94043 94025 2.0
domain’s name google.com facebook.com 8.0
duration in days 8401 10229 0.82
servers’ name [ns1.google.com,...] [a.ns.facebook.com...]
11.0
WHOIS Similarity DistanceAlgorithm
https://github.com/stratosphereips/whois-similarity-distance
How to determine is twodomains are related?
Machine Learning ?
WHOIS Similarity DistanceAlgorithm
ManaTIContributions
All-in-one with Web interface
A scalable and extensible backend server
A novel WHOIS distance measure
Verification of performance improvements
Future of ManaTIImproving WHOIS Similarity Distance
IOCs labeling
Import/Export labelled IOCs
Integration with Stratosphere IPS
Add more types of files
Malware Detection
Active learning
Community Ideas
Conclusion
ManaTI : is a novel tool to facilitate the work
is high functional scalable
user-friendly
can increase the weblogs labelling speed x3.4
OpenSource !
Thank you!
RAÚL BENÍTEZ NETTO
SEBASTIÁN GARCÍA
@Piuliss
@eldracote
ManaTI Project
https://github.com/stratosphereips/Manati
