Showing 1–4 of 4 results for author: Mazel, J

ML-based tunnel detection and tunneled application classification

Authors: Johan Mazel, Matthieu Saudrais, Antoine Hervieu

Abstract: Encrypted tunneling protocols are widely used. Beyond business and personal uses, malicious actors also deploy tunneling to hinder the detection of Command and Control and data exfiltration. A common approach to maintain visibility on tunneling is to rely on network traffic metadata and machine learning to analyze tunnel occurrence without actually decrypting data. Existing work that address tunne… ▽ More Encrypted tunneling protocols are widely used. Beyond business and personal uses, malicious actors also deploy tunneling to hinder the detection of Command and Control and data exfiltration. A common approach to maintain visibility on tunneling is to rely on network traffic metadata and machine learning to analyze tunnel occurrence without actually decrypting data. Existing work that address tunneling protocols however exhibit several weaknesses: their goal is to detect application inside tunnels and not tunnel identification, they exhibit limited protocol coverage (e.g. OpenVPN and Wireguard are not addressed), and both inconsistent features and diverse machine learning techniques which makes performance comparison difficult. Our work makes four contributions that address these limitations and provide further analysis. First, we address OpenVPN and Wireguard. Second, we propose a complete pipeline to detect and classify tunneling protocols and tunneled applications. Third, we present a thorough analysis of the performance of both network traffic metadata features and machine learning techniques. Fourth, we provide a novel analysis of domain generalization regarding background untunneled traffic, and, both domain generalization and adversarial learning regarding Maximum Transmission Unit (MTU). △ Less

Submitted 25 January, 2022; originally announced January 2022.

Dynamically Modelling Heterogeneous Higher-Order Interactions for Malicious Behavior Detection in Event Logs

Authors: Corentin Larroche, Johan Mazel, Stephan Clémençon

Abstract: Anomaly detection in event logs is a promising approach for intrusion detection in enterprise networks. By building a statistical model of usual activity, it aims to detect multiple kinds of malicious behavior, including stealthy tactics, techniques and procedures (TTPs) designed to evade signature-based detection systems. However, finding suitable anomaly detection methods for event logs remains… ▽ More Anomaly detection in event logs is a promising approach for intrusion detection in enterprise networks. By building a statistical model of usual activity, it aims to detect multiple kinds of malicious behavior, including stealthy tactics, techniques and procedures (TTPs) designed to evade signature-based detection systems. However, finding suitable anomaly detection methods for event logs remains an important challenge. This results from the very complex, multi-faceted nature of the data: event logs are not only combinatorial, but also temporal and heterogeneous data, thus they fit poorly in most theoretical frameworks for anomaly detection. Most previous research focuses on either one of these three aspects, building a simplified representation of the data that can be fed to standard anomaly detection algorithms. In contrast, we propose to simultaneously address all three of these characteristics through a specifically tailored statistical model. We introduce \textsc{Decades}, a \underline{d}ynamic, h\underline{e}terogeneous and \underline{c}ombinatorial model for \underline{a}nomaly \underline{d}etection in \underline{e}vent \underline{s}treams, and we demonstrate its effectiveness at detecting malicious behavior through experiments on a real dataset containing labelled red team activity. In particular, we empirically highlight the importance of handling the multiple characteristics of the data by comparing our model with state-of-the-art baselines relying on various data representations. △ Less

Submitted 28 June, 2022; v1 submitted 29 March, 2021; originally announced March 2021.

Identifying and characterizing ZMap scans: a cryptanalytic approach

Authors: Johan Mazel, Rémi Strullu

Abstract: Network scanning tools play a major role in Internet security. They are used by both network security researchers and malicious actors to identify vulnerable machines exposed on the Internet. ZMap is one of the most common probing tools for high-speed Internet-wide scanning. We present novel identification methods based on the IPv4 iteration process of ZMap. These methods can be used to identify Z… ▽ More Network scanning tools play a major role in Internet security. They are used by both network security researchers and malicious actors to identify vulnerable machines exposed on the Internet. ZMap is one of the most common probing tools for high-speed Internet-wide scanning. We present novel identification methods based on the IPv4 iteration process of ZMap. These methods can be used to identify ZMap scans with a small number of addresses extracted from the scan. We conduct an experimental evaluation of these detection methods on synthetic, network telescope, and backbone traffic. We manage to identify 28.5% of the ZMap scans in real-world traffic. We then perform an in-depth characterization of these scans regarding, for example, targeted prefix and probing speed. △ Less

Submitted 13 August, 2019; v1 submitted 12 August, 2019; originally announced August 2019.

A comparison of web privacy protection techniques

Authors: Johan Mazel, Richard Garnier, Kensuke Fukuda

Abstract: A comparison of web privacy protection techniques A comparison of web privacy protection techniques △ Less

Submitted 19 December, 2017; originally announced December 2017.