Sequitur-based Inference and Analysis Framework for Malicious System Behavior

Targeted attacks on IT systems are a rising threat against the confidentiality of sensitive data and the availability of critical systems. With the emergence of Advanced Persistent Threats (APTs), it has become more important than ever to fully understand the particulars of such attacks. Grammar inference offers a powerful foundation for the automated extraction of behavioral patterns from sequential system traces. In order to facilitate the interpretation and analysis of APTs, we present a grammar inference system based on Sequitur, a greedy compression algorithm that constructs a context-free grammar (CFG) from string-based input data. Next to recursive rule extraction, we expanded the procedure through automated assessment routines capable of dealing with multiple input sources and types. This enables the identification of relevant patterns in sequential corpora of arbitrary quantity and size. On the formal side, we extended the CFG with attributes that help depict the extracted (malicious) actions in a comprehensive fashion. The tool’s output is automatically mapped to the grammar for further parsing and discovery-focused pattern visualization.

[1]  Peter Wegner,et al.  Why interaction is more powerful than algorithms , 1997, CACM.

[2]  Helge Janicke,et al.  Design of an Anomaly-based Threat Detection & Explication System , 2017, ICISSP.

[3]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[4]  Tim Oates,et al.  GrammarViz 2.0: A Tool for Grammar-Based Pattern Discovery in Time Series , 2014, ECML/PKDD.

[5]  Tim Oates,et al.  Time series anomaly discovery with grammar-based compression , 2015, EDBT.

[6]  Sebastian Schrittwieser,et al.  TAON: an ontology-based approach to mitigating targeted attacks , 2016, iiWAS.

[7]  Min Chen,et al.  Data, Information, and Knowledge in Visualization , 2009, IEEE Computer Graphics and Applications.

[8]  Richard J. Enbody,et al.  Targeted Cyberattacks: A Superset of Advanced Persistent Threats , 2013, IEEE Security & Privacy.

[9]  Daniel A. Keim,et al.  A Survey of Visualization Systems for Malware Analysis , 2015, EuroVis.

[10]  Kristin A. Cook,et al.  Illuminating the Path: The Research and Development Agenda for Visual Analytics , 2005 .

[11]  Jun Kong,et al.  Program Behavior Discovery and Verification: A Graph Grammar Approach , 2010, IEEE Transactions on Software Engineering.

[12]  Jiankun Hu,et al.  A Semantic Approach to Host-Based Intrusion Detection Systems Using Contiguousand Discontiguous System Call Patterns , 2014, IEEE Transactions on Computers.

[13]  Helge Janicke,et al.  Semantics-aware detection of targeted attacks: a survey , 2017, Journal of Computer Virology and Hacking Techniques.

[14]  Silvia Miksch,et al.  A matter of time: Applying a data-users-tasks design triangle to visual analytics of time-oriented data , 2014, Comput. Graph..

[15]  Sebastian Schrittwieser,et al.  Classifying malicious system behavior using event propagation trees , 2015, iiWAS.

[16]  Eric Filiol,et al.  Malware Behavioral Detection by Attribute-Automata Using Abstraction from Platform and Language , 2009, RAID.

[17]  Grzegorz Rozenberg,et al.  Handbook of Graph Grammars and Computing by Graph Transformations, Volume 1: Foundations , 1997 .

[18]  Wolfgang Aigner,et al.  Problem characterization and abstraction for visual analytics in behavior-based malware pattern analysis , 2014, VizSEC.

[19]  Carsten Willems,et al.  Automatic analysis of malware behavior using machine learning , 2011, J. Comput. Secur..

[20]  Ian H. Witten,et al.  Identifying Hierarchical Structure in Sequences: A linear-time algorithm , 1997, J. Artif. Intell. Res..

[21]  Leyla Bilge,et al.  Before we knew it: an empirical study of zero-day attacks in the real world , 2012, CCS.

[22]  Eric Filiol,et al.  Evaluation methodology and theoretical model for antiviral behavioural detection strategies , 2007, Journal in Computer Virology.

[23]  Robert Luh,et al.  Defining Malicious Behavior , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.