hack.lu 2023

Reviving our oldest Tool - Using Bayesian inference to detect cyber attacks
2023-10-19 , Salle Europe

Crowdsec is an open-source IDS/IPS and we recently added a detection capability that is based on Bayesian inference, a technique which has long been used to detect email spam. We show that this old and simple tool is still incredibly powerful and present how other threat analysts can improve their threat detection using Bayesian inference.


Crowdsec is an open source IPS/IDS that is built on the leaky bucket algorithm. This algorithm can detect a lot of common cyber attack patterns such as bruteforce attacks or exploits with known payload delivery vectors such as log4shell. However it is suboptimal at detecting attacks at the application level. To amend this we created the Bayesian bucket, which uses Bayesian inference internally to determine whether a given user is behaving in fraudulent ways. Bayesian inference has long been used to fight email spam and we show that it is quite adept at fighting other cybercrime.
In particular we present:
* How we implemented the Bayesian bucket
* How you can train it using our open source toolkit
* A demo on real world data

My name is Emanuel Seemann and I have been working as a Data Scientist at Crowdsec since 2022.
I have a degree in pure mathematics from ETH Zürich and got into programming by writing minecraft mods as a kid. Since then I have been hacking away at various coding projects in a variety of different languages. When I'm not behind my computer you can sometimes find me on the lake in a sailing boat.

This speaker also appears in: