Detailed Information on Publication Record
2022
Incident Investigation: From Packets to Graph-Based Analysis
ČERMÁK, MilanBasic information
Original name
Incident Investigation: From Packets to Graph-Based Analysis
Authors
ČERMÁK, Milan
Edition
International Workshop on Graph-based network Security (GraSec) in conjunction with IEEE/IFIP Network Operations and Management Symposium NOMS 2022, 2022
Other information
Language
English
Type of outcome
Vyžádané přednášky
Country of publisher
Hungary
Confidentiality degree
není předmětem státního či obchodního tajemství
References:
Organization
Ústav výpočetní techniky – Repository – Repository
Keywords in English
Network Forensics;Graph Database;Incident Investigation;Dgraph;Zeek;Association-based Analysis
Links
833418, interní kód Repo.
Změněno: 29/4/2022 03:09, RNDr. Daniel Jakubík
Abstract
V originále
Analysis of network traffic allows us to explore events in the monitored network (even retrospectively). It benefits from the fact that it is almost impossible to maliciously affect the captured data (as opposed to system logs, for example). Therefore, it is a reliable source that suitably complements cyber incident investigation. The analysis of network traffic is currently performed by the use of tools such as Wireshark or Arkime, which allow manual data browsing, filtering, aggregation, and provide interactive visualizations but don't account for the fact that the human brain perceives the data as associations/graphs. This interactive keynote will show you how network traffic is typically analyzed today and how it can be adapted to human thinking by using a graph database. In the introductory part, you will see what a typical network attack looks like, how it can be analyzed using Wireshark, and what the advantages and disadvantages of today's analysis techniques are. We will then show you how to transform network data into a format suitable for a graph database while at the same time preserving the natural perception of network traffic. In the final part of the keynote, we will introduce the Granef toolkit (https://granef.csirt.muni.cz/) and use it to analyze the given data. Through simple tutorial exercises, participants will have the opportunity to explore graph-based analysis on their own and gain new insights into network traffic data.