A practical guide to building secure composable SaaS solutions with Sitecore in the cloud. Learn the methodology, process, and get the blueprints for building secure exterprise applications with Sitecore XM Cloud in Azure Cloud.
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE
How to Debug IoT Agents Webinar - 17th April 2019
Corresponding webinar recording: https://youtu.be/FRqJsywi9e8
Chapter: IoT Agents
Difficulty: 3
Audience: Any Technical
Presenter: Jason Fox (Senior Technical Evangelist, FIWARE Foundation)
How to debug IoT Agents - investigating what goes wrong and how to fix it.
Kernel Recipes 2015: Kernel packet capture technologiesAnne Nicolas
Sniffing through the ages
Capturing packets running on the wire to send them to a software doing analysis seems at first sight a simple tasks. But one has not to forget that with current network this can means capturing 30M packets per second. The objective of this talk is to show what methods and techniques have been implemented in Linux and how they have evolved over time.
The talk will cover AF_PACKET capture as well as PF_RING, dpdk and netmap. It will try to show how the various evolution of hardware and software have had an impact on the design of these technologies. Regarding software a special focus will be made on Suricata IDS which is implementing most of these capture methods.
Eric Leblond, Stamus Networks
A practical guide to building secure composable SaaS solutions with Sitecore in the cloud. Learn the methodology, process, and get the blueprints for building secure exterprise applications with Sitecore XM Cloud in Azure Cloud.
FIWARE Wednesday Webinars - How to Debug IoT AgentsFIWARE
How to Debug IoT Agents Webinar - 17th April 2019
Corresponding webinar recording: https://youtu.be/FRqJsywi9e8
Chapter: IoT Agents
Difficulty: 3
Audience: Any Technical
Presenter: Jason Fox (Senior Technical Evangelist, FIWARE Foundation)
How to debug IoT Agents - investigating what goes wrong and how to fix it.
Kernel Recipes 2015: Kernel packet capture technologiesAnne Nicolas
Sniffing through the ages
Capturing packets running on the wire to send them to a software doing analysis seems at first sight a simple tasks. But one has not to forget that with current network this can means capturing 30M packets per second. The objective of this talk is to show what methods and techniques have been implemented in Linux and how they have evolved over time.
The talk will cover AF_PACKET capture as well as PF_RING, dpdk and netmap. It will try to show how the various evolution of hardware and software have had an impact on the design of these technologies. Regarding software a special focus will be made on Suricata IDS which is implementing most of these capture methods.
Eric Leblond, Stamus Networks
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
Digital Forensics and Incident Response (DFIR) for IT systems has been around quite a while, but what about Industrial Control Systems (ICS)? This talk will explore the basics of DFIR for embedded devices used in critical infrastructure such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and controllers. If these are compromised or even have a misoperation, we will show what files, firmware, memory dumps, physical conditions, and other data can be analyzed in embedded systems to determine the root cause.
This talk will show examples of what and how to collect forensics data from two popular RTUs that are used in Electric Substations: the General Electric D20MX and the Schweitzer Engineering Labs SEL-3530 RTAC.
This talk will not cover Windows or *nixbased devices such as Human Machine Interfaces (HMIs) or gateways.
OWASP WTE, or OWASP Web Testing Environment, is a collection of application security tools and documentation available in multiple formats such as VMs, Linux distribution packages, Cloud-based installations and ISO images.
This presentation provides an overview and history of OWASP WTE. Additionally, it shows new OWASP WTE developments including the the ability to use WTE remotely by installing it on a cloud-based server.
Enterprise guide to building a Data MeshSion Smith
Making Data Mesh simple, Open Source and available to all; without vendor lock-in, without complex tooling and to use an approach centered around ‘specifications’, existing tools and baking in a ‘domain’ model.
Докладчик расскажет о технических аспектах разработки с нуля прототипа межсетевого экрана уровня систем управления базами данных Database Firewall: о том, что нужно чтобы разработать DBFW, о возможности применения методов машинного обучения для эффективного обнаружения SQL-инъекций по SQL-запросам, обнаружении SQL-инъекций на основе методов синтаксического анализа, реализации ролевого и атрибутного управление доступом. Также речь пойдет о перспективных механизмах защиты приложений на основе технологий межсетевого экранирования и статического анализа кода.
Databricks Meetup @ Los Angeles Apache Spark User GroupPaco Nathan
Los Angeles Apache Spark Users Group 2014-12-11 http://meetup.com/Los-Angeles-Apache-Spark-Users-Group/events/218748643/
A look ahead at Spark Streaming in Spark 1.2 and beyond, with case studies, demos, plus an overview of approximation algorithms that are useful for real-time analytics.
The Enterprise Guide to Building a Data Mesh - Introducing SpecMeshIanFurlong4
For organisations to successfully adopt data mesh, setting up and maintaining infrastructure needs to be easy.
We believe the best way to achieve this is to leverage the learnings from building a ‘central nervous system‘, commonly used in modern data-streaming ecosystems. This approach formalises and automates of the manual parts of building a data mesh.
This presentation introduces SpecMesh; a methodology and supporting developer toolkit to enable business to build the foundations of their data mesh.
Presentation delivered at LinuxCon China 2017.
Zephyr is an upstream open source project for places where Linux is too big to fit. This talk will overview the progress we've made in the first year towards the projects goals around incorporating best of breed technologies into the code base, and building up the community to support multiple architectures and development environments. We will share our roadmap, plans and the challenges ahead of the us and give an overview of the major technical challenges we want to tackle in 2017.
It's been said that open source software is eating the world. In the observability space, the project making this possible is OpenTelemetry. It's quickly becoming the standard for instrumentation and data collection of observability data. Understanding what data to collect and how to collect it properly is fundamental to ensuring users can quickly address availability and performance issues. Steve Flanders, Director of Engineering at Splunk, discusses the components of the project, its current status, and how you can get started integrating it into your modern app infrastructure.
Speakers:
Steve Flanders
The SOC analyst training program is meticulously designed by the subject matter experts at Infosec Train. The training program offers a deep insight into the SOC operations and workflows. It is an excellent opportunity for aspiring and current SOC analysts (L1/L2/L3) to level up their skills to mitigate business risks by effectively handling and responding to security threats.
https://www.infosectrain.com/courses/soc-analyst-expert-training/
The SOC analyst training program is meticulously designed by the subject matter experts at Infosec Train. The training program offers a deep insight into the SOC operations and workflows. It is an excellent opportunity for aspiring and current SOC analysts (L1/L2/L3) to level up their skills to mitigate business risks by effectively handling and responding to security threats.
https://www.infosectrain.com/courses/soc-analyst-expert-training/
Automating Security Response with ServerlessMichael Ducy
Serverless (or Functions as a Service) tends to get thrown in the "paradigms nice for developers" bucket, but Serverless can provide meaningful benefits to Operations, DevOps, and SRE teams. In a world where everything is presented or controlled via an API, Serverless' event driven, api first philosophy can help these teams create new levels of automation that were typically the realm of runbook tooling.
In this talk we'll cover the various open source Serverless frameworks and platforms available. We'll show how to automate basic day to day operational task with Serverless functions. Finally, we will show how to build an open source, automated, Serverless based, event driven pipeline to automatically secure and protect a Kubernetes cluster.
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
Customer trust and security is paramount for Salesforce. While containerization is great for DevOps due to flexibility, speed, isolation, transient existence, ease of management and patching, it becomes a challenging environment when the sensitivity level of the data traversing the environment increases. Monitoring systems, applications and network; performing disk, memory and network forensics in case of an incident; and vulnerability detection can easily become daunting tasks in such a volatile environment.
In this presentation we would like to discuss the infrastructure we have built to address these issues and to secure our Docker container platform while we rapidly containerize Salesforce. Our solutions focus on securing the container pipeline, building security into the architecture, monitoring, Docker forensics (disk, memory, network), and automation. We also would like to demonstrate some of our live memory analysis capabilities we leverage to assure container and application integrity during execution.
Scalable Open-Source IoT Solutions on Microsoft AzureMaxim Ivannikov
Scalable Open-Source IoT Solutions from gateways to the Cloud using DeviceHive, Ubuntu Snappy Core and Microsoft Azure.
The presentation was used during the NY Open-Source IoT Solutions Summit on November 12, 2015.
This talk was at California Information Technology in Education (CITE 2022. This talk discussed tool that a blue team can use to gain to better respond to threats on their networks
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
Digital Forensics and Incident Response (DFIR) for IT systems has been around quite a while, but what about Industrial Control Systems (ICS)? This talk will explore the basics of DFIR for embedded devices used in critical infrastructure such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and controllers. If these are compromised or even have a misoperation, we will show what files, firmware, memory dumps, physical conditions, and other data can be analyzed in embedded systems to determine the root cause.
This talk will show examples of what and how to collect forensics data from two popular RTUs that are used in Electric Substations: the General Electric D20MX and the Schweitzer Engineering Labs SEL-3530 RTAC.
This talk will not cover Windows or *nixbased devices such as Human Machine Interfaces (HMIs) or gateways.
OWASP WTE, or OWASP Web Testing Environment, is a collection of application security tools and documentation available in multiple formats such as VMs, Linux distribution packages, Cloud-based installations and ISO images.
This presentation provides an overview and history of OWASP WTE. Additionally, it shows new OWASP WTE developments including the the ability to use WTE remotely by installing it on a cloud-based server.
Enterprise guide to building a Data MeshSion Smith
Making Data Mesh simple, Open Source and available to all; without vendor lock-in, without complex tooling and to use an approach centered around ‘specifications’, existing tools and baking in a ‘domain’ model.
Докладчик расскажет о технических аспектах разработки с нуля прототипа межсетевого экрана уровня систем управления базами данных Database Firewall: о том, что нужно чтобы разработать DBFW, о возможности применения методов машинного обучения для эффективного обнаружения SQL-инъекций по SQL-запросам, обнаружении SQL-инъекций на основе методов синтаксического анализа, реализации ролевого и атрибутного управление доступом. Также речь пойдет о перспективных механизмах защиты приложений на основе технологий межсетевого экранирования и статического анализа кода.
Databricks Meetup @ Los Angeles Apache Spark User GroupPaco Nathan
Los Angeles Apache Spark Users Group 2014-12-11 http://meetup.com/Los-Angeles-Apache-Spark-Users-Group/events/218748643/
A look ahead at Spark Streaming in Spark 1.2 and beyond, with case studies, demos, plus an overview of approximation algorithms that are useful for real-time analytics.
The Enterprise Guide to Building a Data Mesh - Introducing SpecMeshIanFurlong4
For organisations to successfully adopt data mesh, setting up and maintaining infrastructure needs to be easy.
We believe the best way to achieve this is to leverage the learnings from building a ‘central nervous system‘, commonly used in modern data-streaming ecosystems. This approach formalises and automates of the manual parts of building a data mesh.
This presentation introduces SpecMesh; a methodology and supporting developer toolkit to enable business to build the foundations of their data mesh.
Presentation delivered at LinuxCon China 2017.
Zephyr is an upstream open source project for places where Linux is too big to fit. This talk will overview the progress we've made in the first year towards the projects goals around incorporating best of breed technologies into the code base, and building up the community to support multiple architectures and development environments. We will share our roadmap, plans and the challenges ahead of the us and give an overview of the major technical challenges we want to tackle in 2017.
It's been said that open source software is eating the world. In the observability space, the project making this possible is OpenTelemetry. It's quickly becoming the standard for instrumentation and data collection of observability data. Understanding what data to collect and how to collect it properly is fundamental to ensuring users can quickly address availability and performance issues. Steve Flanders, Director of Engineering at Splunk, discusses the components of the project, its current status, and how you can get started integrating it into your modern app infrastructure.
Speakers:
Steve Flanders
The SOC analyst training program is meticulously designed by the subject matter experts at Infosec Train. The training program offers a deep insight into the SOC operations and workflows. It is an excellent opportunity for aspiring and current SOC analysts (L1/L2/L3) to level up their skills to mitigate business risks by effectively handling and responding to security threats.
https://www.infosectrain.com/courses/soc-analyst-expert-training/
The SOC analyst training program is meticulously designed by the subject matter experts at Infosec Train. The training program offers a deep insight into the SOC operations and workflows. It is an excellent opportunity for aspiring and current SOC analysts (L1/L2/L3) to level up their skills to mitigate business risks by effectively handling and responding to security threats.
https://www.infosectrain.com/courses/soc-analyst-expert-training/
Automating Security Response with ServerlessMichael Ducy
Serverless (or Functions as a Service) tends to get thrown in the "paradigms nice for developers" bucket, but Serverless can provide meaningful benefits to Operations, DevOps, and SRE teams. In a world where everything is presented or controlled via an API, Serverless' event driven, api first philosophy can help these teams create new levels of automation that were typically the realm of runbook tooling.
In this talk we'll cover the various open source Serverless frameworks and platforms available. We'll show how to automate basic day to day operational task with Serverless functions. Finally, we will show how to build an open source, automated, Serverless based, event driven pipeline to automatically secure and protect a Kubernetes cluster.
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
Customer trust and security is paramount for Salesforce. While containerization is great for DevOps due to flexibility, speed, isolation, transient existence, ease of management and patching, it becomes a challenging environment when the sensitivity level of the data traversing the environment increases. Monitoring systems, applications and network; performing disk, memory and network forensics in case of an incident; and vulnerability detection can easily become daunting tasks in such a volatile environment.
In this presentation we would like to discuss the infrastructure we have built to address these issues and to secure our Docker container platform while we rapidly containerize Salesforce. Our solutions focus on securing the container pipeline, building security into the architecture, monitoring, Docker forensics (disk, memory, network), and automation. We also would like to demonstrate some of our live memory analysis capabilities we leverage to assure container and application integrity during execution.
Scalable Open-Source IoT Solutions on Microsoft AzureMaxim Ivannikov
Scalable Open-Source IoT Solutions from gateways to the Cloud using DeviceHive, Ubuntu Snappy Core and Microsoft Azure.
The presentation was used during the NY Open-Source IoT Solutions Summit on November 12, 2015.
This talk was at California Information Technology in Education (CITE 2022. This talk discussed tool that a blue team can use to gain to better respond to threats on their networks
[HUN][Hackersuli] Androidos alkalmazássebészet, avagy gumikesztyűt fel és irá...hackersuli
A januári hackersulin belemerülünk az androidos alkalmazások nagyon mély lelkivilágába. Könyékig fogunk túrni az androidos "assembly"-ben és megnézzük, hogy mire lehet használni a szanaszéjjel cincált byte kódot, hogy lehet mókolni vele. Hónaljig merülünk a java compiler és a dalvik rejtelmeibe és a fejünk búbja is tocsogni fog a processzorregiszterek vakargatásától. Móka és kacagás az egész családnak!
Halálcsillag, pizza, süti, üccsi, gyakorlati példák, jó fej meetupra látogató, IT biztonság iránt érdeklődő emberkék és ultrajófej előadók mind várhatóak.
Gyertek és adjátok tovább!
[HUN][Hackersuli] iOS hekkelés, avagy egyik szemünk zokog, a másik meg kacagv...hackersuli
"Van publikus iBoot exploit az iOS-hez!"
Ha erre a mondatra nem vigyorogsz, gyere el és fogsz. Ha viszont zokognál, akkor arra is van okod - hogy miért, gyere el és megtudod :)
A decemberi első* Hackersuli meetupon iOS-ről fogunk beszélni mind alkalmazáshekkelési/penteszter szemszögből, mind pedig abból nézve, hogy most akkor beadhatod-e nyugodt szívvel az iPhone-odat kijelzőcserére az araboknak a Nyugatinál.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
1. Élő szövet a fémvázon: Python és
gépi tanulás a Zeek platformon
Budapest Hackersuli Meetup 2024 Május
1
Szili Dávid
2. Nem, még mindig nem vettem magyar kiosztású
billentyűzetet!
Ezt a két slide-ot is kínszenvedés volt ékezetekkel
megírni!
2
Dávid, magyarul lécci… (Diszklémer 1)
3. Diszklémer 2
• We are going to discuss
intermediate/advanced topics!
• The assumption is that you are
somewhat familiar with security
monitoring and/or machine
learning concepts.
• Originally, this was a workshop,
NOT a presentation
• Finally; none of this is our own
research! We are just connecting
dots (see refs later)!
3
4. ChatGPT-4/DALL-E3 prompt:
This is too scary now, keep the original
image, all the details, but make it look cute,
and transform it into cartoon network art
style, like the style of Dexter's Laboratory, or
Power Puff Girls
ChatGPT-4/DALL-E3 prompt:
Make an epic portrait of a Terminator T-800
with red glowing eyes and a python wrapped
around its neck, where the python is
showing its fangs as it is about to attack.
Make it dynamic, cinematic, highly detailed,
packed with hidden details, style, high
dynamic range, hyper-realistic, realistic,
attention to detail.
Diszklémer 3
4
5. • Managing partner at Alzette Information Security (@AlzetteInfoSec)
• Network penetration testing, security architectures, security monitoring,
threat hunting, incident response, digital forensics
• Instructor at SANS Institute: FOR572, FOR509
• SANS Lead author: SANS DFIR NetWars
• BSides Luxembourg Organizer: https://bsideslux.lu
• Twitch: https://www.twitch.tv/alzetteinfosec
• YouTube: https://www.youtube.com/@alzetteinfosec
• Twitter (X): @DavidSzili
• E-mail: david.szili@alzetteinfosec.com
5
About David
6. Agenda for Today
Introduction to Zeek
Machine Learning on Zeek Logs
Snakes! (Anaconda and Python)
Zeek Broker and Machine Learning
6
8. About Zeek
What is Zeek?
• Passive, open-source network
traffic analyzer
• Event/data-driven NIDS/NSM
• Fully customizable and extensible
platform for traffic analysis
• Can run on commodity hardware
(up to 10GbE or even 100GbE links)
• Commercial offerings: Corelight
Why Zeek?
• Network Intrusion Detection
Systems (NIDS)
• Alert data only
• Network Security Monitoring
(NSM)
• Alert data
• Flow (or Session) data
• Transaction data
• Packet data (PCAP)
• Statistical data
• Correlated data
8
9. Zeek’s History
• 1995 – Initial version by Vern Paxson
• 1996 – Berkeley Lab deployment
• 2003 – National Science Foundation
(NSF) began supporting Bro R&D
• 2010 – National Center for
Supercomputing Applications (NCSA)
joined the team as a core partner
• 2013 – NSF renewed its support
• 2014 – try.bro.org (now try.zeek.org)
• 2016 – Zeek package manager
• 2018 – Changing the name of the
software from Bro to Zeek.
• 2020 – Spicy Parser Generator
9
12. • Zeek’s Event Engine:
• Reduces the incoming packet stream into a series of
higher-level events
• Places events into an ordered "event queue“
• Events:
• State change (new_connection, signature_match)
• Protocol specific (http_response, dns_request)
• Data availability (http_entity_data, file_sniff)
• Etc.
12
Zeek Events
13. Zeek Logs (Just a Few Examples)
Log File Description
conn.log TCP/UDP/ICMP connections
dhcp.log DHCP leases
dns.log DNS activity
ftp.log FTP activity
http.log HTTP requests and replies
rdp.log RDP
smb_cmd.log SMB commands
smb_files.log SMB files
ssh.log SSH connections
Log File Description
ssl.log SSL/TLS handshake info
files.log File analysis results
x509.log X.509 certificate info
intel.log Intelligence data matches
notice.log Zeek notices
signatures.log Signature matches
known_hosts.log Hosts seen (TCP handshakes)
software.log Software seen on the network
weird.log Unexpected network activity
13
Complete list: https://docs.zeek.org/en/master/script-reference/log-files.html
Details: https://docs.zeek.org/en/master/logs/index.html
14. Framework Description
Broker Communication Framework Exchange information with other Zeek processes
Cluster Framework The basic premise of Zeek clusterization
Configuration Framework Allows updating script options dynamically at runtime
File Analysis Framework Generalized presentation of file-related information
Input Framework Allows users to import data into Zeek
Intelligence Framework Consume data and make it available for matching
Logging Framework Fine-grained control of what and how is logged
Management Framework Provides a Zeek-based, service-oriented architecture
NetControl Framework Flexible, unified interface for active response
14
Zeek Frameworks (1)
Source: https://docs.zeek.org/en/master/frameworks/index.html
15. Framework Description
NetControl Framework Flexible, unified interface for active response
Notice Framework Detect potentially interesting situations and take action
Packet Analysis Handles parsing of packet headers at layers
Summary Statistics Framework Measuring aspects of network traffic
Signature Framework Signature language for low-level pattern matching
Telemetry Framework Can be used to record metrics
TLS Decryption Limited support for decrypting TLS connections
15
Zeek Frameworks (2)
Source: https://docs.zeek.org/en/master/frameworks/index.html
16. • Event-driven
• Domain-specific
• Turing-complete
• Based on ML (LISP-like)
• Basically, all Zeek output is generated by Zeek scripts!
16
Zeek Scripting Overview
Source: https://docs.zeek.org/en/master/script-reference/index.html
19. • From the Stratosphere Laboratory team:
• StratosphereLinuxIPS (SLIPS):
https://github.com/stratosphereips/StratosphereLinuxIPS
• zeek_anomaly_detector:
https://github.com/stratosphereips/zeek_anomaly_detector
• From the Active Countermeasures team:
• Real Intelligence Threat Analytics (RITA):
https://github.com/activecm/rita/
• AC-Hunter Community Edition:
https://www.activecountermeasures.com/ac-hunter-community-
edition/
19
Tools to Parse and Analyze Zeek Logs
20. Machine Learning on Zeek Logs
DEMO (1)
Budapest Hackersuli Meetup 2023 December
20
22. Anaconda, Jupyter Labs, Python
• We are going to use the
following tools:
• Anaconda
• Jupyter Lab
• Python (no, not R )
• pandas
• numpy
• mathplotlib
• scikit-learn
• tensorflow
22
Source: https://twitter.com/aboutsecurity/status/1094277269751762946
23. • None of this is our own research! We are just connecting dots!
• Largely based on David Hoelzer’s SANS “SEC595: Applied Data Science and AI/Machine Learning
for Cybersecurity Professionals” Day 2 labs:
• https://www.sans.org/cyber-security-courses/applied-data-science-machine-learning/
• Go check out David Hoelzer’s YouTube channel:
• https://www.youtube.com/@DHAtEnclaveForensics/videos
• Also, check out David Hoelzer’s other presentations on the SANS Cyber Defense YouTube channel:
• https://www.youtube.com/@SANSCyberDefense/search?query=Hoelzer
• We also used Nik Alleyne’s blog post and GitHub repository:
• https://www.securitynik.com/2023/10/beginning-fourier-transform-detecting.html
• https://showmethepackets.com/index.php/2023/10/09/beginning-fourier-transform-detecting-beaconing-
in-our-networks/
• https://github.com/SecurityNik/Data-Science-and-
ML/blob/main/Beginning%20Fourrier%20Transform%20for%20Beacon%20Detection%20-%20Blog.ipynb
23
Disclaimer / Credits
24. (Discrete) Fourier Transform and (R)FFT
24
Sources: https://www.thefouriertransform.com/
https://en.wikipedia.org/wiki/Discrete_Fourier_transform and https://en.wikipedia.org/wiki/Fast_Fourier_transform
25. Machine Learning on Zeek Logs
DEMO (2)
Budapest Hackersuli Meetup 2023 December
25
27. • Broker is a library for type-rich publish/subscribe
communication
• It is the successor of Broccoli
• It enables arbitrary applications to communicate in
Zeek’s data model
• Broker also offers distributed key-value stores to
facilitate unified data management and persistence
27
Zeek Broker
28. Broker Overview
• Endpoints: data senders and receivers.
• Peering: to publish or receive
messages an endpoint needs to peer
with other endpoints.
• Messages: information to send
• Topics: filters for a publish or
subscribe communication pattern.
• Subscriptions: peers only receive
messages which match one of their
subscriptions.
• Data stores: distributed key-value
stores.
28
29. • Almost all functionality of Broker is also accessible
through Python bindings
• The Python API mostly mimics the C++ interface
• Installation:
• Virtual Environment (compiled Broker from source)
• Binary package: $(PREFIX)/zeek/lib/zeek/python/
• Your Broker version must match your Zeek version!
29
Broker’s Python Bindings
import sys
sys.path.append('/opt/zeek/lib/zeek/python/')
30. • None of this is our own research! We are just connecting dots!
• Largely based on David Hoelzer’s livestream recordings, presentations, and his SANS “SEC595:
Applied Data Science and AI/Machine Learning for Cybersecurity Professionals” Day 3 and Day 5
labs:
• https://www.sans.org/cyber-security-courses/applied-data-science-machine-learning/
• Go check out David Hoelzer’s YouTube channel:
• https://www.youtube.com/@DHAtEnclaveForensics/videos
• We used code from these videos:
• Machine Learning with Zeek and Tensorflow Part 1:
https://www.youtube.com/watch?v=5w25kEMLdQk
• Machine Learning with Zeek and Tensorflow - Part 2: Processing the Data:
https://www.youtube.com/watch?v=8qJFnX214yE
• Threat Hunting with Data Science, Machine Learning, and Artificial Intelligence:
https://www.youtube.com/watch?v=fdqFdnkf9I4
• Also, check out David Hoelzer’s other presentations on the SANS Cyber Defense YouTube channel:
• https://www.youtube.com/@SANSCyberDefense/search?query=Hoelzer
30
Disclaimer / Credits (1)
31. • We used the code from the Zeek Broker documentation:
• https://docs.zeek.org/projects/broker/en/master/python.html
• We also used a little Dr. Keith Jones’ “How To Easily Connect Zeek to
Python” YouTube video, blog, and GitHub repository:
• https://www.youtube.com/watch?v=iIYi17VqFkY
• https://drkeithjones.com/index.php/2023/03/11/how-to-connect-zeek-to-python/
• https://github.com/keithjjones/zeek-python-broker-demo
• Go check out Dr. Keith Jones’ YouTube channel:
• https://www.youtube.com/@dr.keithjones
31
Disclaimer / Credits (2)
32. Zeek Broker and Python
DEMO (1)
Budapest Hackersuli Meetup 2023 December
32
35. Decision Tree Classifier
• Non-parametric supervised
learning method
• Gini coefficient: represents
the differences between areas
• The algorithm used to build
the decision tree is
attempting to maximize the
information gain at every
decision node
petal length (cm) ≤ 2.45
gini = 0.6667
samples = 150
value = [50, 50, 50]
class = setosa
gini = 0.0
samples = 50
value = [50, 0, 0]
class = setosa
True
petal width (cm) ≤ 1.75
gini = 0.5
samples = 100
value = [0, 50, 50]
class = versicolor
False
petal length (cm) ≤ 4.95
gini = 0.168
samples = 54
value = [0, 49, 5]
class = versicolor
petal length (cm) ≤ 4.85
gini = 0.0425
samples = 46
value = [0, 1, 45]
class = virginica
petal width (cm) ≤ 1.65
gini = 0.0408
samples = 48
value = [0, 47, 1]
class = versicolor
petal width (cm) ≤ 1.55
gini = 0.4444
samples = 6
value = [0, 2, 4]
class = virginica
gini = 0.0
samples = 47
value = [0, 47, 0]
class = versicolor
gini = 0.0
samples = 1
value = [0, 0, 1]
class = virginica
gini = 0.0
samples = 3
value = [0, 0, 3]
class = virginica
sepal length (cm) ≤ 6.95
gini = 0.4444
samples = 3
value = [0, 2, 1]
class = versicolor
gini = 0.0
samples = 2
value = [0, 2, 0]
class = versicolor
gini = 0.0
samples = 1
value = [0, 0, 1]
class = virginica
sepal length (cm) ≤ 5.95
gini = 0.4444
samples = 3
value = [0, 1, 2]
class = virginica
gini = 0.0
samples = 43
value = [0, 0, 43]
class = virginica
gini = 0.0
samples = 1
value = [0, 1, 0]
class = versicolor
gini = 0.0
samples = 2
value = [0, 0, 2]
class = virginica
35
Source: https://scikit-learn.org/stable/modules/tree.html
36. • Decision Trees have an issue with outliers in the data.
• Let’s build a forest! Each tree makes a determination, classifies
that sample, and gets one vote. Whichever category has the
greatest number of votes, is the final classification.
36
Random Forest Classifier
Source: https://stackoverflow.com/questions/40155128/plot-trees-for-a-random-forest-in-python-with-scikit-learn