FloCon 2019 has ended
Back To Schedule
Thursday, January 10 • 9:00am - 9:30am
Time-based Correlation of Malicious Events and their Connections

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
In the cyber security arena, many events of interest occur in conjunction with network connection events. For example, a connection to a suspected malware command and control node might proceed a hidden process disabling security logging on a compromised computer. Associating such malicious events with their related connections is a critical task in network forensics. Often times a suspicious connection can tip off investigators to previously overlooked events and vice versa. However, in many cases, associating events with corresponding connections is difficult due to network layering, dynamic addressing, or gaps in sensor coverage. Inevitably, the investigator will invoke timestamps to help correlate events with possible connections. In this presentation, we discuss automating this approach with a Time Based Correlation big data analytic that uses a statistical approach to gauge independence in events and possibly related connections. We include the results of a validating discrete event simulation that identifies under which conditions this approach provides the best performance and fewest false positives. We discuss scaling this analytic to the DoD enterprise level and its use in helping detect various anomalies.

Attendees will learn:
Attendees will learn how to automate the use of statistics to help link events and connections in a timeline during an incident or forensic investigation. This includes under which conditions time can be definitive in linking events and when it must be combined with other methods.

avatar for Steven Henderson

Steven Henderson

Lead Data Scientist, Enlighten IT Consulting
Steve Henderson is the Lead Data Scientist at Enlighten IT Consulting, where he supervises petabyte-scale data science analytics in support of DoD cyber operations for USCYBERCOM, ARCYBERCOM, and DISA. Steve is a 23-year Army veteran who is an expert in data science systems engineering... Read More →
avatar for Brittany Nicholls

Brittany Nicholls

Cloud Software Engineer, Enlighten IT Consulting
Brittany Nicholls is a Technical Lead who oversees a team of software engineers at Enlighten IT Consulting, LLC, an Alion Company. She and her team are currently focused on advancing the fusion of cloud analytics and visualizations. These innovative tools assist Defensive Cyber Operations... Read More →

Thursday January 10, 2019 9:00am - 9:30am EST
Grand Ballroom 300 Bourbon St, New Orleans, LA 70130