ProblemChild: Discovering Anomalous Patterns based on Parent-Child Process Relationships

08/11/2020
by   Bobby Filar, et al.
0

It is becoming more common that adversary attacks consist of more than a standalone executable or script. Often, evidence of an attack includes conspicuous process heritage that may be ignored by traditional static machine learning models. Advanced attacker techniques, like "living off the land" that appear normal in isolation become more suspicious when observed in a parent-child context. The context derived from parent-child process chains can help identify and group malware families, as well as discover novel attacker techniques. Adversaries chain these techniques to achieve persistence, bypass defenses, and execute actions. Traditional heuristic-based detections often generate noise or disparate events that belong to what constitutes a single attack. ProblemChild is a graph-based framework designed to address these issues. ProblemChild applies a supervised learning classifier to derive a weighted graph used to identify communities of seemingly disparate events into larger attack sequences. ProblemChild applies conditional probability to automatically rank anomalous communities as well as suppress commonly occurring parent-child chains. In combination, this framework can be used by analysts to aid in the crafting or tuning of detectors and reduce false-positives over time. We evaluate ProblemChild against the 2018 MITRE ATT CK(TM) emulation of APT3 attack to demonstrate its promise in identifying anomalous parent-child process chains.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
12/27/2021

PORTFILER: Port-Level Network Profiling for Self-Propagating Malware Detection

Recent self-propagating malware (SPM) campaigns compromised hundred of t...
research
11/30/2021

Living-Off-The-Land Command Detection Using Active Learning

In recent years, enterprises have been targeted by advanced adversaries ...
research
06/03/2023

Tecnicas Avanzadas de Ciberseguridad: Integracion y Evolucion de la Kill Chain en Diversos Escenarios

The document provides an in-depth analysis of the main attack chain mode...
research
07/17/2019

Real-time Evasion Attacks with Physical Constraints on Deep Learning-based Anomaly Detectors in Industrial Control Systems

Recently, a number of deep learning-based anomaly detection algorithms w...
research
02/18/2020

Framework to Describe Intentions of a Cyber Attack Action

The techniques and tactics used by cyber adversaries are becoming more s...
research
12/11/2022

Mitigating Adversarial Gray-Box Attacks Against Phishing Detectors

Although machine learning based algorithms have been extensively used fo...

Please sign up or login with your details

Forgot password? Click here to reset