This presentation will look at detection of SQL injection
using Machine Learning as well as profiling web traffic to find
misbehaving hosts. The goal is to get beyond "Top N" types of analysis and begin using multiple features to guide us towards interesting traffic. With these techniques multiple log types can be used, everything from web server logs to proxy logs.
Top 10 Most Downloaded Games on Play Store in 2024
Identifying Web Attacks Via Data Analysis
1.
2. Mike Sconzo
@sooshie
R&D at Click Security
Focused on data analysis for security use cases
Interested in machine learning/statistical analysis
NetWitness
ERCOT
Sandia National Labs
3. ● Introduction
● How to use basic log information to detect
different attack types
○ Drive-by
○ SQL Injection
● Closing
5. ● Gather data
● Clean up data
● Explore data
● Select/create features (numeric only)*
● Run machine learning algorithm*
● Analyze results
*optional
6.
7. Is it possible to find clients being
exploited by various exploit kits by just
looking at traffic patterns?
● Gather data
● Clean up data
● Explore data
● Analyze results
23. Is it possible to used supervised learning
(classification) to detect strings that are
likely SQL Injection?
● Gather data
● Explore data
● Clean up data
● Transform data
● Select/create features (numeric only)
● Run machine learning algorithm
● Analyze results
24.
25.
26.
27.
28.
29.
30. *Transform the data into a form that
might give better insight than a
signature
31.
32. ● Strings are great, but patterns might be better
● Extract patterns from the strings
● N-Grams!!!
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45. ● It’s possible to make quality decisions/find interesting activity using
data
● The more data you have the more accurate your predictions can
be
● Gathering (the right) data for the use case is important
● Cleaning the data takes a lot of effort, but it’s necessary
● Unfortunately none of this is a silver bullet, but it can help point you
in the right direction(s)
● None of this is magic, you can do it too!