Funded by NWO/Cyber Security
Contact: J.I. den Hartog
Cyber-attacks have grown in number and sophistication, achieving unprecedented success in reaching their targets. Advanced Persistent Threats (APTs) such as data exfiltration attacks are both dangerous and difficult to detect. These targeted and stealthy attacks using specifically developed malware circumvent classical detection systems based on signatures or statistical anomalies in network traffic. Only by looking in detail at the actual content of communication would it be possible to detect APTs. A method is thus needed to analyse the huge amount of data involved in an effective way. SpySpot proposes a solution which combines deep packet analysis with visualization of the analysis results enabling an end user to easily spot anomalies created by APTS like digital espionage. In the deep packet analysis the meaning of communication is recovered using protocol syntax and semantics, abstraction brings additional structure to this meaning and anomaly detection finds patterns deviating from the norm. While automated analysis is needed to manage the huge amount of data, no automatic method can match the ability of the human mind in recognizing deviations and evaluating these. The analysis will thus support visualization of results for human-based evaluation and be able to take into account feedback on the discovered anomalies, such as discarding harmless ones in future traffic.