SuriCon 2017 - Hunting BotNets: Suricata Advanced Security Analytics
•Anthony G. Tellez•1 min read
Machine LearningSecuritySuricataBotnetConference
Splunk has enabled big data on the security practitioner's desktop, but the security knowledge worker is not a data scientist by training. SOC engineers need easy-to-implement machine learning tools.
This presentation explores existing machine learning toolkits available in the Splunk platform and how they can be applied to botnet hunting and advanced threat detection.
Key Topics
Botnet Detection
Using machine learning to identify botnet activity:
- Command and control communication patterns
- Periodic beaconing detection
- Unusual traffic patterns
- Behavioral analysis
Data Exfiltration
Detecting data theft through statistical analysis:
- Volume anomalies
- Destination analysis
- Protocol anomalies
- Time-based patterns
Port/Traffic Analysis
Network security analytics:
- Port scanning detection
- Traffic volume analysis
- Protocol distribution
- Connection pattern analysis
Advanced Threat Detection
Machine learning for sophisticated threats:
- Zero-day detection
- Polymorphic malware
- APT activity identification
- Behavioral baselines
Operationalizing ML
Making machine learning work in production SOC environments:
- Model training workflows
- False positive management
- Integration with SIEM
- Analyst collaboration
Presentation Materials
Presented at SuriCon 2017