Incident Investigation: From Packets to Graph-Based Analysis
Authors | |
---|---|
Year of publication | 2022 |
MU Faculty or unit | |
Citation | |
Attached files | |
Description | Analysis of network traffic allows us to explore events in the monitored network (even retrospectively). It benefits from the fact that it is almost impossible to maliciously affect the captured data (as opposed to system logs, for example). Therefore, it is a reliable source that suitably complements cyber incident investigation. The analysis of network traffic is currently performed by the use of tools such as Wireshark or Arkime, which allow manual data browsing, filtering, aggregation, and provide interactive visualizations but don't account for the fact that the human brain perceives the data as associations/graphs. This interactive keynote will show you how network traffic is typically analyzed today and how it can be adapted to human thinking by using a graph database. In the introductory part, you will see what a typical network attack looks like, how it can be analyzed using Wireshark, and what the advantages and disadvantages of today's analysis techniques are. We will then show you how to transform network data into a format suitable for a graph database while at the same time preserving the natural perception of network traffic. In the final part of the keynote, we will introduce the Granef toolkit (https://granef.csirt.muni.cz/) and use it to analyze the given data. Through simple tutorial exercises, participants will have the opportunity to explore graph-based analysis on their own and gain new insights into network traffic data. |
Related projects: |