Threat Detection Via MetaCharacteristic Analysis of Machine Data presented at Shakacon 2012

by Monzy Merza,

Summary : Meta-Characteristic Analysis is a source agnostic, detection approach for unknown attacks that relies on event data to detect cyber threats. This approach does not rely on any traditional IPS/IDS signatures. We utilize simple measures such as event shape (length and punctuation), event frequency, and event affinity (shape correlation with event artifacts) on sources such as email logs, registry keys and system files (among others). Using publicly published breach reports as examples, we demonstrate how meta-characteristics analysis detects the disclosed threat or exfiltration path. We will show that this strategy can be used to detect a wide range of unknown attacks, persistence mechanisms and exfiltration channels.