Materials for ARCYBER's workshop at ThinkCyber 2018.
-
Run the
startscript, which will start a Docker container hosting a Jupyter notebook server and mount thejupyter/anddata/directories. Navigate to the URL printed to stdout at the end of the script to access your Jupyter notebook. -
Prototype analytics! The sample data and notebooks we have provided are used for an exercise to prototype a DNS tunnel detection analytic.
-
If you would like to interact with the Docker container via the command line, you can run the
shellscript. -
To stop and remove the Docker container, run the
stopscript.
As responsible cybersecurity professionals, we must not only understand the mechanics of network penetration: we should also be able to detect and mitigate adversarial tactics. While traditional indicators of compromise are valuable, they can often be too situationally specific to provide adequate defense in depth. In this demonstration, we describe an event-driven, mathematically motivated approach to network security monitoring. We will walk through the process of creating a simple mathematical model to detect anomalous traffic and discuss challenges related to analysis at scale.
Works created by U.S. Federal employees as part of their jobs typically are not eligible for copyright in the United States. In places where the contributions of U.S. Federal employees are not eligible for copyright, this work is in the public domain. In places where it is eligible for copyright, such as some foreign jurisdictions, this work is licensed as described in LICENSE.md.
Disclaimer: The views presented are those of the author and do not necessarily represent the views of the Department of Defense or its components.