Ignacio Arnaldo
Name
Detecting network beaconing with machine learning and Zeek logs
Description

We will introduce a robust approach to detect network beaconing across DNS, SSL, and HTTP using Zeek logs. We will start by analyzing patterns exhibited by C2 frameworks such as Meterpreter, Empire, Sliver, or Caldera. The wide range of observed behaviors will motivate a machine learning approach that consists in a) generating synthetic data that accounts for different beaconing frequencies, jittering, and latencies, and b) training a Convolutional Neural Network that analyzes the intervals between activities. Finally, we will showcase real-world detections and equip the audience with all the tools needed to apply the approach to their data.
 

Date & Time
Wednesday, May 1, 2024, 3:30 PM - 4:00 PM
Theater
Theater 4
Exhibitors
Corelight