AIDIS: Detecting and classifying anomalous behavior in ubiquitous kernel processes

Abstract Targeted attacks on IT systems are a rising threat against the confidentiality, integrity, and availability of critical information and infrastructures. With the rising prominence of advanced persistent threats (APTs), identifying and understanding such attacks has become increasingly important. Current signature-based systems are heavily reliant on fixed patterns that struggle with unknown or evasive applications, while behavior-based solutions usually leave most of the interpretative work to a human analyst. In this article we propose AIDIS, an Advanced Intrusion Detection and Interpretation System capable to explain anomalous behavior within a network-enabled user session by considering kernel event anomalies identified through their deviation from a set of baseline process graphs. For this purpose we adapt star structures, a bipartite representation used to approximate the edit distance between two graphs. Baseline templates are generated automatically and adapt to the nature of the respective operating system process. We prototypically implemented smart anomaly classification through a set of competency questions applied to graph template deviations and evaluated the approach using both Random Forest and linear kernel support vector machines. The determined attack classes are ultimately mapped to a dedicated APT attacker/defender meta model that considers actions, actors, as well as assets and mitigating controls, thereby enabling decision support and contextual interpretation of ongoing attacks.

[1]  Carsten Willems,et al.  A Malware Instruction Set for Behavior-Based Analysis , 2010, Sicherheit.

[2]  Eric Chien,et al.  W32.Duqu: The Precursor to the Next Stuxnet , 2012, LEET.

[3]  Sergio Caltagirone,et al.  The Diamond Model of Intrusion Analysis , 2013 .

[4]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[5]  Aruna Tiwari,et al.  Localized Multiple Kernel Learning for Anomaly Detection: One-class Classification , 2018, Knowl. Based Syst..

[6]  Carsten Willems,et al.  Automatic analysis of malware behavior using machine learning , 2011, J. Comput. Secur..

[7]  Harold William Kuhn Lectures on the theory of games , 2003 .

[8]  Ludovic Piètre-Cambacédès,et al.  Attack and Defense Modeling with BDMP , 2010, MMM-ACNS.

[9]  Wei Wang,et al.  A Context-Based Detection Framework for Advanced Persistent Threats , 2012, 2012 International Conference on Cyber Security.

[10]  Christopher Krügel,et al.  JACKSTRAWS: Picking Command and Control Connections from Bot Traffic , 2011, USENIX Security Symposium.

[11]  Wolfgang Aigner,et al.  A knowledge-assisted visual malware analysis system: Design, validation, and reflection of KAMAS , 2016, Comput. Secur..

[12]  Ted Dunning,et al.  Accurate Methods for the Statistics of Surprise and Coincidence , 1993, CL.

[13]  Helge Janicke,et al.  Design of an Anomaly-based Threat Detection & Explication System , 2017, ICISSP.

[14]  Ashok N. Srivastava,et al.  Multiple kernel learning for heterogeneous anomaly detection: algorithm and aviation safety case study , 2010, KDD.

[15]  Din J. Wasem,et al.  Mining of Massive Datasets , 2014 .

[16]  Georg Carle,et al.  Real-time Analysis of Flow Data for Network Attack Detection , 2007, 2007 10th IFIP/IEEE International Symposium on Integrated Network Management.

[17]  Stathes Hadjiefthymiades,et al.  Enabling attack behavior prediction in ubiquitous environments , 2005, ICPS '05. Proceedings. International Conference on Pervasive Services, 2005..

[18]  Curtis B. Storlie,et al.  Graph-based malware detection using dynamic analysis , 2011, Journal in Computer Virology.

[19]  Jing Lin,et al.  Adaptive kernel density-based anomaly detection for nonlinear systems , 2018, Knowl. Based Syst..

[20]  R.F. Mills,et al.  Using Attack and Protection Trees to Analyze Threats and Defenses to Homeland Security , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[21]  Barbara Kordy,et al.  Attack-defense trees , 2014, J. Log. Comput..

[22]  Simon Tjoa,et al.  PenQuest: a gamified attacker/defender meta model for cyber security assessment and education , 2019, Journal of Computer Virology and Hacking Techniques.

[23]  Andrei Z. Broder,et al.  On the resemblance and containment of documents , 1997, Proceedings. Compression and Complexity of SEQUENCES 1997 (Cat. No.97TB100171).

[24]  Corinna Cortes,et al.  Support-Vector Networks , 1995, Machine Learning.

[25]  Bernhard Schölkopf,et al.  Support Vector Method for Novelty Detection , 1999, NIPS.

[26]  Helge Janicke,et al.  Semantics-aware detection of targeted attacks: a survey , 2017, Journal of Computer Virology and Hacking Techniques.

[27]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[28]  Jiawei Han,et al.  gSpan: graph-based substructure pattern mining , 2002, 2002 IEEE International Conference on Data Mining, 2002. Proceedings..

[29]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[30]  Victor A. Skormin,et al.  Using Behavioral Modeling and Customized Normalcy Profiles as Protection against Targeted Cyber-Attacks , 2012, MMM-ACNS.

[31]  Michael Franz Dynamic Linking of Software Components , 1997, Computer.

[32]  Andrew Vance Flow based analysis of Advanced Persistent Threats detecting targeted attacks in cloud computing , 2014, 2014 First International Scientific-Practical Conference Problems of Infocommunications Science and Technology.

[33]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[34]  Ian H. Witten,et al.  Identifying Hierarchical Structure in Sequences: A linear-time algorithm , 1997, J. Artif. Intell. Res..

[35]  Simon Tjoa,et al.  APT RPG: Design of a Gamified Attacker/Defender Meta Model , 2018, ICISSP.

[36]  Helge Janicke,et al.  SEQUIN: a grammar inference framework for analyzing malicious system behavior , 2018, Journal of Computer Virology and Hacking Techniques.

[37]  Javier Esparza,et al.  Learning Workflow Petri Nets , 2010, Petri Nets.

[38]  Michael Gamon,et al.  Sentiment classification on customer feedback data: noisy data, large feature vectors, and the role of linguistic analysis , 2004, COLING.

[39]  Jan Willemson,et al.  Serial Model for Attack Tree Computations , 2009, ICISC.

[40]  Sebastian Schrittwieser,et al.  TAON: an ontology-based approach to mitigating targeted attacks , 2016, iiWAS.

[41]  Timothy W. Finin,et al.  A Target-Centric Ontology for Intrusion Detection , 2003, IJCAI 2003.

[42]  Sebastian Schrittwieser,et al.  LLR-Based Sentiment Analysis for Kernel Event Sequences , 2017, 2017 IEEE 31st International Conference on Advanced Information Networking and Applications (AINA).

[43]  Harold W. Kuhn,et al.  The Hungarian method for the assignment problem , 1955, 50 Years of Integer Programming.

[44]  Diane J. Cook,et al.  Graph-based anomaly detection , 2003, KDD '03.

[45]  Jan van den Berg,et al.  Systems for Detecting Advanced Persistent Threats: A Development Roadmap Using Intelligent Data Analysis , 2012, 2012 International Conference on Cyber Security.

[46]  Eric Michael Hutchins,et al.  Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[47]  T. Ambwani,et al.  Multi class support vector machine implementation to intrusion detection , 2003, Proceedings of the International Joint Conference on Neural Networks, 2003..

[48]  Kang G. Shin,et al.  Large-scale malware indexing using function-call graphs , 2009, CCS.

[49]  Andy Liaw,et al.  Classification and Regression by randomForest , 2007 .

[50]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[51]  Richard J. Enbody,et al.  Targeted Cyberattacks: A Superset of Advanced Persistent Threats , 2013, IEEE Security & Privacy.

[52]  P. Jaccard,et al.  Etude comparative de la distribution florale dans une portion des Alpes et des Jura , 1901 .

[53]  Sebastian Schrittwieser,et al.  Classifying malicious system behavior using event propagation trees , 2015, iiWAS.