MART: Targeted attack detection on a compromised network

Targeted attacks are a significant problem for governmental agencies and corporations. We propose a MinHash-based, targeted attack detection system which analyzes aggregated process creation events typically generated by human keyboard input. We start with a set of malicious process creation events, and their parameters, which are typically generated by an attacker remotely controlling computers on a network. The MinHash algorithm allows the system to efficiently process hundreds of millions of events each day. We propose the weighted squared match similarity score for targeted attack detection which is more robust to mimicry and NOOP attacks than the weighted Jaccard index. We demonstrate that the system can detect several confirmed targeted attacks on both a small dataset of 1,473 computers as well as a large network of over 230 thousand computers. In the first case, the proposed system detects a similar, but separate attack while in the latter, intrusion activity is detected at large-scale.

[1]  Marco Balduzzi,et al.  Targeted attacks detection with SPuNge , 2013, 2013 Eleventh Annual Conference on Privacy, Security and Trust.

[2]  Edgar R. Weippl,et al.  Social engineering attacks on the knowledge worker , 2013, SIN.

[3]  V. Rao Vemuri,et al.  Use of K-Nearest Neighbor classifier for intrusion detection , 2002, Comput. Secur..

[4]  Jingren Zhou,et al.  SCOPE: easy and efficient parallel processing of massive data sets , 2008, Proc. VLDB Endow..

[5]  Vijay Anand Intrusion Detection: Tools, Techniques and Strategies , 2014, SIGUCCS.

[6]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[7]  Alan M. Frieze,et al.  Min-Wise Independent Permutations , 2000, J. Comput. Syst. Sci..

[8]  Vern Paxson,et al.  Consequences of Connectivity: Characterizing Account Hijacking on Twitter , 2014, CCS.

[9]  Andrew Zisserman,et al.  Near Duplicate Image Detection: min-Hash and tf-idf Weighting , 2008, BMVC.

[10]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[11]  Stephanie Forrest,et al.  Automated response using system-call delays , 2000 .

[12]  AxelssonStefan The base-rate fallacy and the difficulty of intrusion detection , 2000 .

[13]  Leonid Portnoy,et al.  Intrusion detection with unlabeled data using clustering , 2000 .

[14]  Hervé Debar,et al.  Aggregation and Correlation of Intrusion-Detection Alerts , 2001, Recent Advances in Intrusion Detection.

[15]  Philip K. Chan,et al.  Learning Patterns from Unix Process Execution Traces for Intrusion Detection , 1997 .

[16]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[17]  Christopher Krügel,et al.  Scalable, Behavior-Based Malware Clustering , 2009, NDSS.

[18]  Zhang Rui A Survey of Intrusion Detection Systems , 2002 .

[19]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[20]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[21]  Peter E. Hart,et al.  Nearest neighbor pattern classification , 1967, IEEE Trans. Inf. Theory.

[22]  Salvatore J. Stolfo,et al.  A data mining framework for building intrusion detection models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[23]  Craig A. Shue,et al.  Proceedings of the ACM Conference on Computer and Communications Security , 2010 .

[24]  Andrei Z. Broder,et al.  On the resemblance and containment of documents , 1997, Proceedings. Compression and Complexity of SEQUENCES 1997 (Cat. No.97TB100171).

[25]  David Brumley,et al.  BitShred: feature hashing malware for scalable triage and semantic analysis , 2011, CCS '11.

[26]  Sergey Ioffe,et al.  Improved Consistent Sampling, Weighted Minhash and L1 Sketching , 2010, 2010 IEEE International Conference on Data Mining.

[27]  Paolo Milani Comparetti,et al.  EvilSeed: A Guided Approach to Finding Malicious Web Pages , 2012, 2012 IEEE Symposium on Security and Privacy.

[28]  Jure Leskovec,et al.  Mining of Massive Datasets, 2nd Ed , 2014 .

[29]  Kymie M. C. Tan,et al.  Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits , 2002, RAID.