Hunting in the Dark: Metrics for Early Stage Traffic Discovery
Max Gao, Michael Collins, Ricky Mok, kc Claffy
TL;DR
This paper investigates threat hunting metrics by analyzing the detection of Crackonosh malware, modeling detection capabilities as malware prevalence changes, and exploring how darkspace size impacts tracking and attacker behavior.
Contribution
It introduces a new metric for discoverability and models detection effectiveness under varying malware populations and darkspace sizes.
Findings
Detection strength varies with malware prevalence.
Darkspace size influences tracking ability and attacker behavior.
Metrics can quantify threat hunting effectiveness.
Abstract
Threat hunting is an operational security process where an expert analyzes traffic, applying knowledge and lightweight tools on unlabeled data in order to identify and classify previously unknown phenomena. In this paper, we examine threat hunting metrics and practice by studying the detection of Crackonosh, a cryptojacking malware package, has on various metrics for identifying its behavior. Using a metric for discoverability, we model the ability of defenders to measure Crackonosh traffic as the malware population decreases, evaluate the strength of various detection methods, and demonstrate how different darkspace sizes affect both the ability to track the malware, but enable emergent behaviors by exploiting attacker mistakes.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsData Visualization and Analytics