Machine Learninģ-based Detection of C&amp;C Channels with a Focus on the Locked Shields Cyber Defense Exercise

Kanzig, Nicolas; Meier, Roland; Gambazzi, Luca; Lenders, Vincent; Vanbever, Laurent

doi:10.23919/cycon.2019.8756814

Cited by 11 publications

(7 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The research paper titled "Machine Learning-based Detection of C&C Channels with a Focus on the Locked Shields Cyber Defence Exercise," authored by Känzig et al (2019), introduces a system tailored to find Command and Control (C&C) channels within network traffic, with particular emphasis on the Locked Shields cyber defence exercise, as seen in Fig. 15.…”

Section: Machine Learning's Role In Locked Shields Defencementioning

confidence: 99%

A Comprehensive Analysis of the Role of Artificial Intelligence and Machine Learning in Modern Digital Forensics and Incident Response

Dunsin,

Ghanem,

Ouazzane

et al. 2023

Preprint

View full text Add to dashboard Cite

Section: Machine Learning's Role In Locked Shields Defencementioning

confidence: 99%

A Comprehensive Analysis of the Role of Artificial Intelligence and Machine Learning in Modern Digital Forensics and Incident Response

Dunsin,

Ghanem,

Ouazzane

et al. 2023

Preprint

View full text Add to dashboard Cite

“…While cyber ranges are strictly not emulators, they provide an excellent source of data to train new data-driven capabilities -as seen in e.g. [26]. Examples of cyber ranges are: CCDCOE's cyber range 10 (NATO/Estonia); AIT's cyber range 11 (Austria), CRATE [21] (Sweden); and NCR 12 (Norway).…”

Section: B Emulation and Cyber Exercisesmentioning

confidence: 99%

“…Examples of cyber ranges are: CCDCOE's cyber range 10 (NATO/Estonia); AIT's cyber range 11 (Austria), CRATE [21] (Sweden); and NCR 12 (Norway). The aforementioned work [26] used logs from the 2019 Locked Shields cyber exercise, hosted by CCDCOE, to label a subset of the generated logs in order to train a ML model for detecting command & control traffic.…”

Section: B Emulation and Cyber Exercisesmentioning

confidence: 99%

“…The advantage of more ad-hoc labelling methods is that they can be applied to existing log data. One example is [26], which used information from the cyber exercise to post-hoc label the…”

Section: Labelling Log Datamentioning

confidence: 99%

“…The attack scenarios include abilities related to: discovery, C&C, credential dumping, executing and defence evasion. The plan contains two distinct scenarios with 20 defined stages from 79 attack steps 26 . The first scenario has a "smash-and-grab" approach, starting with noisy techniques before proceeding to a quick espionage mission for collecting data and exfiltration.…”

Section: B Labelling Host Behaviourmentioning

confidence: 99%

See 2 more Smart Citations

LADEMU: a modular & continuous approach for generating labelled APT datasets from emulations

Gjerstad

Kadiric

Grov

et al. 2022

2022 IEEE International Conference on Big Data (Big Data)

View full text Add to dashboard Cite

Development and evaluation of data-driven capabilities for both threat hunting and intrusion detection require highquality and up-to-date datasets. The generation of such datasets poses multiple challenges, which has led to a general lack of suitable datasets for this domain.One such difficulty is the ability to correctly label each datapoint at a suitable level of granularity. In this paper, we argue that the challenges faced when labelling datasets can to some degree be decoupled from realistic emulations of up-to-date attacks and benign behaviours. We propose a modular labelling approach that can be combined with existing emulation platforms that provide the necessary details used for labelling. A proof-ofconcept implementation is provided with our LADEMU (Labelled Apt Datasets from EMUlations) tool, which is integrated with the Mitre CALDERA emulation platform and uses the GHOSTS framework for benign behaviour. LADEMU captures both host and network logs and labels them at a sufficient level of detail to separate the various attack steps. This provides dataset support for the development of data-driven APT, multi-step and killchain capabilities. As a case, LADEMU is used to generate a labelled dataset from an intelligence-driven emulation plan of an advanced persistent threat (APT) group.

show abstract

Cyber Weapons and Artificial Intelligence: Impact, Influence and the Challenges for Arms Control

Reinhold

Reuter

2022

Armament, Arms Control and Artificial Intelligence

View full text Add to dashboard Cite

Machine Learninģ-based Detection of C&C Channels with a Focus on the Locked Shields Cyber Defense Exercise

Cited by 11 publications

References 5 publications

A Comprehensive Analysis of the Role of Artificial Intelligence and Machine Learning in Modern Digital Forensics and Incident Response

A Comprehensive Analysis of the Role of Artificial Intelligence and Machine Learning in Modern Digital Forensics and Incident Response

LADEMU: a modular & continuous approach for generating labelled APT datasets from emulations

Cyber Weapons and Artificial Intelligence: Impact, Influence and the Challenges for Arms Control

Contact Info

Product

Resources

About