当前位置:首页 > 报告详情

自主时间线分析与威胁狩猎:时间草图人工智能代理.pdf

上传人: 竿*** 编号:981946 2025-11-29 66页 3.66MB

1、#BHUSA BlackHatEventsAutonomous Timeline Analysis and Threat HuntingAI Log Reasoning Capability in TimesketchAlex Kantchelian,Marteen Van Dantzig,Diana Kramer,Janosch Kpper,Eric Morley,Sadegh Momeni,Yanis Pavlidis,Elie Bursztein with the help of many Googlers#BHUSA BlackHatEvents4,000,000Average num

2、ber of events on a freshly installed Windows server#BHUSA BlackHatEventsAgendaSec-Geminis Log Reasoning CapabilityForensics 101The Log Volume ProblemTimesketch with Sec-GeminiEvaluation SCAN FOR SLIDES#BHUSA BlackHatEventsThe Log Volume ProblemFinding the needle in a haystack#BHUSA BlackHatEventsAna

3、tomy of a Windows 2022 Base Image 3.1MFilesystem events(e.g.file creation/modification)400k Registry events350k UsnJrnl events50k Executable Events40k Exec Events(per day)4,000,000+EventsExcludes sources like:netflow,DNS,other system logs#BHUSA BlackHatEventsThe log volume problemAttackers can look

4、like normal usersOne attack creates a dozen log typesThe signal is buried in the noise#BHUSA BlackHatEventsForensics 101and how we do it at Google#BHUSA BlackHatEventsThree phases of forensicsProcessingConvert into a friendlier format.Parse,normalize,and enrich data AnalysisReview artifacts-explore

5、the timeline and check for indicatorsCollectionFetch artifacts:disk images,process executions,and event/auth logs#BHUSA BlackHatEventsForensics with open source toolsCollectionProcessingAnalysislibcloudforensicsCollects artifacts from cloud providersPlasoBuilds timelines from collected artifactsTime

6、sketchEnables collaborative timeline investigations#BHUSA BlackHatEventsForensics with open source toolslibcloudforensicsCollects artifacts from cloud providersPlasoBuilds timelines from collected artifactsTimesketchEnables collaborative timeline analysismvd-gcp-projectGCE disk image(copy)/tmp/disk-

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据报告的内容,全文主要介绍了Sec-Gemini在日志推理和威胁狩猎中的应用。以下是关键点: 1. **日志量问题**:现代服务器每天产生数百万事件,攻击者可能隐藏在正常用户行为中,使得在大量日志中找到攻击迹象变得困难。 2. **Sec-Gemini**:一个实验性的日志推理工具,旨在通过自动化的方式处理和分析大量日志,以识别攻击迹象。 3. **探索图作为记忆**:Sec-Gemini使用探索图来表示调查状态,通过逻辑推理和记录关联来构建和更新图。 4. **性能评估**:在真实世界案例中,Sec-Gemini能够识别53%的关键攻击指标,成本低于3美元。 5. **AI原则**:Sec-Gemini遵循透明、可验证、可解释、可追踪和受保护的原则,以确保分析的有效性和可靠性。
"AI如何助你找到网络攻击线索?" "海量日志,AI如何快速定位威胁?" AI日志推理新境界"
客服
商务合作
小程序
服务号
折叠