SpySpot is a project in cooperation between the security group and the visualization group at the Department of Computer Science and Mathematics of the Eindhoven University of Technology, funded by NWO/Cyber Security. The participating partners are SecurityMatters, SynerScope, TNO, and Dutch Ministry of the Interior.
The project addresses the problem of advanced persistent threats (APTs). APTs such as data exfiltration attacks are both dangerous and difficult to detect. These targeted and stealthy attacks using specifically developed malware circumvent classical detection systems based on signatures or statistical anomalies in network traffic. Only by looking in detail at the actual content of communication would it be possible to detect APTs. A method is thus needed to analyse the huge amount of data involved in an effective way.
SpySpot proposes a solution which combines deep packet analysis with visualization of the analysis results enabling an end user to easily spot anomalies created by APTs like digital espionage. In the deep packet analysis the meaning of communication is recovered using protocol syntax and semantics, abstraction brings additional structure to this meaning and anomaly detection finds patterns deviating from the norm. While automated analysis is needed to manage the huge amount of data, no automatic method can match the ability of the human mind in recognizing deviations and evaluating these. The analysis will thus support visualization of results for human-based evaluation and be able to take into account feedback on the discovered anomalies, such as discarding harmless ones in future traffic. These attacks avoid the classical detection systems by using specifically developed malware, and can only be spotted by looking at the content of the communication in detail.
Sandro Etalle (project leader), Jack van Wijk, Jerry den Hartog (contact person), Ömer Yüksel, Bram Cappers