1. The Center for Cyber Defenders
Expanding Computer Security Knowledge
Results:
Network Analysis Tool
An interactive user interface implements and
displays the results from:
• Parser – Creates input for machine learning
algorithms by extracting features from the
Ethernet, IP, and TCP/UDP headers of pcaps
• Analysis Scripts – perform frequency
analysis on output from Parser to create
visual representations
Classifiers
Machine learning techniques such as Naïve
Bayes and k-Nearest Neighbor were used to
create classifiers to automate detection of
anomalous network traffic.
Sandia National Laboratories is a multi-program laboratory managed and operated by Sandia Corporation,
a wholly owned subsidiary of Lockheed Martin Corporation, for the U.S. Department of Energy’s National
Nuclear Security Administration under contract DE-AC04-94AL85000. SAND2013-XXXXC.
Greg Anders, Texas A&M; Kesha Hietala, University of Minnesota;Joseph Malone, University of Dallas;
Srinidhi Raghavan, University of Pennsylvania; Elizabeth Walkup, University of Tulsa
Preguntas
Project Mentors: Eric Hokanson, 5636; Jon Blount, 5628
Problem Statement:
Current detection of protocol in internet traffic
relies on port numbers, which are unreliable
because they can be easily changed. We
aim to develop a port agnostic system to
automatically detect protocol and suspicious
Internet traffic on a specific protocol.
Objectives and Approach:
• Capture and analyze network packets
(pcaps) to establish baseline of ‘normal’
• Analyze known malware pcaps to find how
they vary from ‘normal’
• Develop machine learning techniques to
automatically detect abnormal traffic
• Extract traffic session features to be used
with machine learning
• Use existing machine learning tools such as
Weka and Scikit-learn to verify results
Impact and Benefits:
The developed tool will be a lightweight Python
program to automate port agnostic protocol
and malware detection.