{"id":2536,"date":"2021-11-10T18:59:13","date_gmt":"2021-11-10T17:59:13","guid":{"rendered":"https:\/\/dev.littlebigcode.fr\/cas-client\/detection-de-beaconing\/"},"modified":"2021-11-17T10:20:15","modified_gmt":"2021-11-17T09:20:15","slug":"detection-beaconing","status":"publish","type":"cas-client","link":"https:\/\/dev.littlebigcode.fr\/en\/cas-client\/detection-beaconing\/","title":{"rendered":"Detection of beaconing"},"content":{"rendered":"<style>\nh3 {color : #1CACE4}<br \/><\/style>\n<h3><strong>Context and problematic<\/strong><\/h3>\n<p><\/p>\n<p>As part of the work of the security team, the client needs a tool to help in detecting these &#8220;beaconing&#8221; cases. This traffic at regular intervals is sent by the victim&#8217;s network to an infrastructure controlled by the adversary. The latter could be a sign of a malware virus or a compromised host performing data exfiltration.<\/p>\n<p><\/p>\n<h3><strong>Goals<\/strong><\/h3>\n<p><\/p>\n<p>The goal of the project is to create a machine learning beaconing case detection system, which is capable of processing huge amounts of data.<br \/>\nThis system will suggest potential beaconing domains that the experts can check.<\/p>\n<h3><\/h3>\n<p><\/p>\n<h3><strong>Our intervention<\/strong><\/h3>\n<p><\/p>\n<p>2 Data Scientist<\/p>\n<ul>\n<li>Extraction of data from proxy logs to scan and clean them and then use them to create the required features.<\/li>\n<li>The calculated features are of two types: aggregations by client\/host\/date, daily and aggregations by host over a given period which will serve as a history<\/li>\n<li>These features serve as training data for several anomaly detection models<\/li>\n<li>Modelization<\/li>\n<li>Implementation of an assessment system which simulates the real Use-Case<\/li>\n<\/ul>\n<p><\/p>\n<h3><strong>Results<\/strong><\/h3>\n<p><\/p>\n<p>Based on the available data, the system obtains promising performance, but the number of false positives remains rather high. To let a team of experts, manage alerts in a reasonable amount of time, this point will need to be improved.<br \/>\nWe are currently digging the feature engineering deeper, with the help of security experts to improve performance<\/p>\n<p><\/p>\n<h3><strong>Technical environment<\/strong><\/h3>\n<p><\/p>\n<p>Python, Jupyter Hub<br \/>\nSpark (PySpark), H2O (PySparkling) for Git\/GitHub modelization<br \/>\nScrum<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Context and problematic As part of the work of the security team, the client needs a tool to help in detecting these &#8220;beaconing&#8221; cases. This traffic at regular intervals is sent by the victim&#8217;s network to an infrastructure controlled by the adversary. The latter could be a sign of a malware virus or a compromised [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":1623,"comment_status":"closed","ping_status":"open","template":"","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":""},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.7.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Detection of beaconing | LittleBigCode.fr<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/dev.littlebigcode.fr\/en\/cas-client\/detection-beaconing\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Detection of beaconing | LittleBigCode.fr\" \/>\n<meta property=\"og:description\" content=\"Context and problematic As part of the work of the security team, the client needs a tool to help in detecting these &#8220;beaconing&#8221; cases. This traffic at regular intervals is sent by the victim&#8217;s network to an infrastructure controlled by the adversary. The latter could be a sign of a malware virus or a compromised [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/dev.littlebigcode.fr\/en\/cas-client\/detection-beaconing\/\" \/>\n<meta property=\"og:site_name\" content=\"LittleBigCode.fr\" \/>\n<meta property=\"article:modified_time\" content=\"2021-11-17T09:20:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/dev.littlebigcode.fr\/wp-content\/uploads\/2021\/06\/cas1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"450\" \/>\n\t<meta property=\"og:image:height\" content=\"704\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/dev.littlebigcode.fr\/en\/cas-client\/detection-beaconing\/\",\"url\":\"https:\/\/dev.littlebigcode.fr\/en\/cas-client\/detection-beaconing\/\",\"name\":\"Detection of beaconing | LittleBigCode.fr\",\"isPartOf\":{\"@id\":\"https:\/\/dev.littlebigcode.fr\/#website\"},\"datePublished\":\"2021-11-10T17:59:13+00:00\",\"dateModified\":\"2021-11-17T09:20:15+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/dev.littlebigcode.fr\/en\/cas-client\/detection-beaconing\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/dev.littlebigcode.fr\/en\/cas-client\/detection-beaconing\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/dev.littlebigcode.fr\/en\/cas-client\/detection-beaconing\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/dev.littlebigcode.fr\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Detection of beaconing\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/dev.littlebigcode.fr\/#website\",\"url\":\"https:\/\/dev.littlebigcode.fr\/\",\"name\":\"LittleBigCode.fr\",\"description\":\"AI Solution Creator\",\"publisher\":{\"@id\":\"https:\/\/dev.littlebigcode.fr\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/dev.littlebigcode.fr\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/dev.littlebigcode.fr\/#organization\",\"name\":\"LittleBigCode\",\"url\":\"https:\/\/dev.littlebigcode.fr\/\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/littlebigcode\/\",\"https:\/\/www.youtube.com\/channel\/UCTEax-7nR6n2zzgL4bz3fWQ\",\"https:\/\/medium.com\/hub-by-littlebigcode\"],\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/dev.littlebigcode.fr\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/dev.littlebigcode.fr\/wp-content\/uploads\/2021\/08\/Logo-LBC-AISC-format-carre\u0301.png\",\"contentUrl\":\"https:\/\/dev.littlebigcode.fr\/wp-content\/uploads\/2021\/08\/Logo-LBC-AISC-format-carre\u0301.png\",\"width\":768,\"height\":768,\"caption\":\"LittleBigCode\"},\"image\":{\"@id\":\"https:\/\/dev.littlebigcode.fr\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Detection of beaconing | LittleBigCode.fr","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/dev.littlebigcode.fr\/en\/cas-client\/detection-beaconing\/","og_locale":"en_US","og_type":"article","og_title":"Detection of beaconing | LittleBigCode.fr","og_description":"Context and problematic As part of the work of the security team, the client needs a tool to help in detecting these &#8220;beaconing&#8221; cases. This traffic at regular intervals is sent by the victim&#8217;s network to an infrastructure controlled by the adversary. The latter could be a sign of a malware virus or a compromised [&hellip;]","og_url":"https:\/\/dev.littlebigcode.fr\/en\/cas-client\/detection-beaconing\/","og_site_name":"LittleBigCode.fr","article_modified_time":"2021-11-17T09:20:15+00:00","og_image":[{"width":450,"height":704,"url":"https:\/\/dev.littlebigcode.fr\/wp-content\/uploads\/2021\/06\/cas1.png","type":"image\/png"}],"twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/dev.littlebigcode.fr\/en\/cas-client\/detection-beaconing\/","url":"https:\/\/dev.littlebigcode.fr\/en\/cas-client\/detection-beaconing\/","name":"Detection of beaconing | LittleBigCode.fr","isPartOf":{"@id":"https:\/\/dev.littlebigcode.fr\/#website"},"datePublished":"2021-11-10T17:59:13+00:00","dateModified":"2021-11-17T09:20:15+00:00","breadcrumb":{"@id":"https:\/\/dev.littlebigcode.fr\/en\/cas-client\/detection-beaconing\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/dev.littlebigcode.fr\/en\/cas-client\/detection-beaconing\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/dev.littlebigcode.fr\/en\/cas-client\/detection-beaconing\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/dev.littlebigcode.fr\/en\/"},{"@type":"ListItem","position":2,"name":"Detection of beaconing"}]},{"@type":"WebSite","@id":"https:\/\/dev.littlebigcode.fr\/#website","url":"https:\/\/dev.littlebigcode.fr\/","name":"LittleBigCode.fr","description":"AI Solution Creator","publisher":{"@id":"https:\/\/dev.littlebigcode.fr\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/dev.littlebigcode.fr\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/dev.littlebigcode.fr\/#organization","name":"LittleBigCode","url":"https:\/\/dev.littlebigcode.fr\/","sameAs":["https:\/\/www.linkedin.com\/company\/littlebigcode\/","https:\/\/www.youtube.com\/channel\/UCTEax-7nR6n2zzgL4bz3fWQ","https:\/\/medium.com\/hub-by-littlebigcode"],"logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/dev.littlebigcode.fr\/#\/schema\/logo\/image\/","url":"https:\/\/dev.littlebigcode.fr\/wp-content\/uploads\/2021\/08\/Logo-LBC-AISC-format-carre\u0301.png","contentUrl":"https:\/\/dev.littlebigcode.fr\/wp-content\/uploads\/2021\/08\/Logo-LBC-AISC-format-carre\u0301.png","width":768,"height":768,"caption":"LittleBigCode"},"image":{"@id":"https:\/\/dev.littlebigcode.fr\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/dev.littlebigcode.fr\/en\/wp-json\/wp\/v2\/cas-client\/2536"}],"collection":[{"href":"https:\/\/dev.littlebigcode.fr\/en\/wp-json\/wp\/v2\/cas-client"}],"about":[{"href":"https:\/\/dev.littlebigcode.fr\/en\/wp-json\/wp\/v2\/types\/cas-client"}],"author":[{"embeddable":true,"href":"https:\/\/dev.littlebigcode.fr\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/dev.littlebigcode.fr\/en\/wp-json\/wp\/v2\/comments?post=2536"}],"version-history":[{"count":0,"href":"https:\/\/dev.littlebigcode.fr\/en\/wp-json\/wp\/v2\/cas-client\/2536\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dev.littlebigcode.fr\/en\/wp-json\/wp\/v2\/media\/1623"}],"wp:attachment":[{"href":"https:\/\/dev.littlebigcode.fr\/en\/wp-json\/wp\/v2\/media?parent=2536"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}