Traditional and Advanced Techniques for Network Beacon Detection
February 2022 • Video
Dustin Updyke and Tom Podnar delivered this presentation at FloCon 2022 on January 12, 2022. Watch the video and download the slides.
Software Engineering Institute
Software that calls home at a regular interval is referred to as “beaconing”. Beaconing can be similar to normal network traffic, but there is uniqueness that we can look for as part of threat hunt. Our particular focus is on the timing of the communications for a unique connection. Our work shows techniques for targeting the top candidates on a network that may be exhibiting beaconing behavior by using several machine learning clustering models on the communication delta times.
Attendees will come to understand beaconing software, how to analyze the connections between machines using standard python machine learning libraries, and how to think about utilizing ML in general for their day-to-day operations.
Dustin Updyke is a Cybersecurity Researcher at the CERT Division of Carnegie Mellon University’s Software Engineering Institute. After previously serving with multiple industries in an array of technology roles, Dustin transitioned into security and now supports cyber workforce development for multiple government and DoD contracts. He built and supports (through the SEI's presence on GitHub) a range of open source tools that help bring realism to simulation, training, and exercises. His current research interests include game theory, machine learning, and AI. Dustin is currently a graduate student in Carnegie Mellon's Philosophy program.
Tom Podnar currently is a Cyber Security Engineer at the CERT division of SEI at Carnegie Mellon. He works with the United States Army researching, architecting, implementing, and delivering elite cyber warfare exercises. He also is an adjunct professor at La Roche University, where he teaches Advanced Computer Security. He previously was the Systems Architecture team manager at the University of Pittsburgh, where his team was responsible for architecting and implementing all Enterprise systems.