Post on 10-Jun-2015
description
PACUMEN“packet acumen”
WHO ARE WE?
PRASAD RAO - HPLABSBRANDON NIEMCZYK – HP DVLABS
WHAT IS PACUMEN ?
A tool to identify what applications are being used over an encrypted tunnel.
ACADEMIA HAS PRODUCED PAPERS…
Where’s the code?
PREVIOUS WORK
Results only.
Focus on one application at a time.
Results are difficult to interpret.
HOW DOES PACUMEN WORK?
PACUMEN learns by example.
HOW DOES PACUMEN WORK?
Train PACUMEN
Collect Example
Data
ClassifierClassify
new data
Provide new data from
network/pcap
10 Collect Training Data20 Build Classifier30 Get unknown data40 Classify unknown data50 GOTO 30
HOW DOES PACUMEN WORK?
A B A
SIZE ASIZE B
11
2CLASSIFY
IRRELEVANT SIZE 1 2 3
10 seconds
UPDATECONFIDENCE
HOW DOES PACUMEN WORK?
- Decision Trees
Multiple types of classifiers can be created.
- Mixed Gaussian Likelihood functions
DECISION TREESIs it a dog or a house cat?
Is it heavier than fifteen pounds?
Does it bark?
Probably a cat
Probably a dog
Probably a dog
MIXED GAUSSIANS
M =
DEMO TIME!
THANK YOUAny Questions?
PACUMEN - https://github.com/bniemczyk/pacumen.git
Prasad Rao – prasad.rao@hp.com
Brandon Niemczyk – insecurity@hp.com
Vib Chhabra – vaibhav.chhabra@hp.com