Check out my talk at VizSec 2016!
Understanding the Context of Network Traffic Alerts
Check out the reactions on Twitter!
I'm Bram and I am a computer scientist from Eindhoven University of Technology.
Ever since I was little, I have been fascinated about the functioning and actuation of electronic devices. I love to puzzle on mathematical problems and try to come up with a creative solution. My interests are in particular in the area of data visualization, information systems, formal system analysis, and language engineering. Currently, I have obtained a PhD position in the area of data visualization.
Besides my academic career, I work as a freelancer in the area of web design and (integration of) information systems. Occasionally, I provide training material and consult third parties about software development and process automation.
When I am back at home, I love to watch a movie and hang out with my friends. My hobbies are drawing, playing music, and modeling.
The main research question for my PhD project SpySpot is:
``How can we use visualization techniques to detect (or aid in the detection of) cyber espionage and targeted malware in computer networks using deep packet inspection and automated anomaly detection techniques?''’
One of the main challenges in the area of network traffic analysis is how to detect when a network is being exploited (e.g., cyber espionage, exfiltration, targeted malware). Especially for critical infrastructures (such as power plants), hackers nowadays are willing to design complex viruses to maximize the damage in one specific infrastructure. The main difficulty with Advanced Persistent Threats (APTs) is the involvement of domain knowledge such that their traffic can no longer be distinguished from regular activity by simple inspection of high level properties (e.g., message length and destination address).
Current methods focus on the analysis of these properties, since in practice they have shown to be sufficient for the discovery of traditional attacks (e.g., buffer overflows, DDOS attacks). The fact that these techniques consider traffic content as a black box makes them unaware of anomalies at the level of semantics. The goal of SpySpot is to combine anomaly based deep packet inspection with visualization to lay the basis of a new generation of security monitoring tools that are suitable to detect advanced persistent threats. The analysis part enables the system to automatically “spot” anomalous behavior in network traffic whereas visualization enables the user to gain insight in these alerts and allow them to act accordingly.
The motivation for visualizing network traffic is three-fold:
|2IP90 2016: Programming|
|2IPG0 2015: Introduction to object-oriented programming|
|2IPG0 2014: Introduction to object-oriented programming|