search menu icon-carat-right cmu-wordmark

Time-Based Correlation of Malicious Events and Their Connections

In this presentation, the authors discuss how to automate the use of statistics to help link events and connections in a timeline during an incident or forensic investigation.

Enlighten IT Consulting



In the cybersecurity arena, many events of interest occur in conjunction with network connection events. For example, a connection to a suspected malware command and control node might proceed a hidden process disabling security logging on a compromised computer. Associating such malicious events with their related connections is a critical task in network forensics. Often times a suspicious connection can tip off investigators to previously overlooked events and vice versa. However, in many cases, associating events with corresponding connections is difficult due to network layering, dynamic addressing, or gaps in sensor coverage. Inevitably, the investigator will invoke timestamps to help correlate events with possible connections. Included are the results of a validating discrete event simulation that identifies under which conditions this approach provides the best performance and fewest false positives. We discuss scaling this analytic to the DoD enterprise level and its use in helping detect various anomalies.

Part of a Collection

FloCon 2019 Presentations

This content was created for a conference series or symposium and does not necessarily reflect the positions and views of the Software Engineering Institute.