Konstantin Berlin
ABSTRACT
As antivirus and network intrusion detection systems have increasingly proven insufficient to detect advanced threats, large security operations centers have moved to deploy endpoint-based sensors that provide deeper visibility into low-level events across their enterprises. Unfortunately, for many organizations in government and industry, the installation, maintenance, and resource requirements of these newer solutions pose barriers to adoption and are perceived as risks to organizations' missions. To mitigate this problem we investigated the utility of agentless detection of malicious endpoint behavior, using only the standard built-in Windows audit logging facility as our signal. We found that Windows audit logs, while emitting manageable sized data streams on the endpoints, provide enough information to allow robust detection of malicious behavior. Audit logs provide an effective, low-cost alternative to deploying additional expensive agent-based breach detection systems in many government and industrial settings, and can be used to detect, in our tests, 83% percent of malware samples with a 0.1% false positive rate. They can also supplement already existing host signature-based antivirus solutions, like Kaspersky, Symantec, and McAfee, detecting, in our testing environment, 78% of malware missed by those antivirus systems.
- Anubis. https://anubis.iseclab.org/.Google Scholar
- Cuckoo Sandbox. http://www.cuckoosandbox.org.Google Scholar
- VirtualBox. https://www.virustotal.com.Google Scholar
- VirusTotal. hhttps://www.virtualbox.org.Google Scholar
- Description of security events in Windows Vista and in Windows Server 2008. https://support.microsoft.com/en-us/kb/947226, January 2009.Google Scholar
- Visual basic platform is becoming increasingly popular among malware writers. http://www.lavasoft.com/mylavasoft/securitycenter/whitepapers/visual-basic-platform-is-becoming-increasingly-popular-among-malware, September 2012.Google Scholar
- Does malware still detect virtual machines? http://www.symantec.com/connect/blogs/does-malware-still-detect-virtual-machines, August 2014.Google Scholar
- File detection test of malicious software. http://www.av-comparatives.org/wp-content/uploads/2015/04/avc_fdt_201503_en.pdf, April 2015.Google Scholar
- B. Anderson, D. Quist, J. Neil, C. Storlie, and T. Lane. Graph-based malware detection using dynamic analysis. Journal in Computer Virology, 7(4):247--258, 2011. Google ScholarDigital Library
- K. D. Bowers, C. Hart, A. Juels, and N. Triandopoulos. Pillarbox: Combating next-generation malware with fast forward-secure logging. In Research in Attacks, Intrusions and Defenses, pages 46--67. Springer, 2014.Google Scholar
- M. Chandramohan, H. B. K. Tan, and L. K. Shar. Scalable malware clustering through coarse-grained behavior modeling. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering, pages 27:1--27:4. ACM, 2012. Google ScholarDigital Library
- J. Dai, R. Guha, and J. Lee. Efficient virus detection using dynamic instruction sequences. Journal of Computers, 4(5):405--414, 2009.Google ScholarCross Ref
- M. Egele, T. Scholte, E. Kirda, and C. Kruegel. A survey on automated dynamic malware-analysis techniques and tools. ACM Computing Surveys, 44(2):6, 2012. Google ScholarDigital Library
- W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems, 32(2):5:1--5:29, June 2014. Google ScholarDigital Library
- D. Fleck, A. Tokhtabayev, A. Alarif, A. Stavrou, and T. Nykodym. Pytrigger: A system to trigger & extract user-activated malware behavior. In Proceedings of the 2013 International Conference on Availability, Reliability and Security, pages 92--101. IEEE, 2013. Google ScholarDigital Library
- J. H. Friedman, T. Hastie, and R. Tibshirani. Regularization paths for generalized linear models via coordinate descent. Journal of Statistical Software, 33(1):1--22, 2 2010.Google Scholar
- E. Gandotra, D. Bansal, and S. Sofat. Malware analysis and classification: A survey. Journal of Information Security, 5(02):56, 2014.Google ScholarCross Ref
- S. A. Hofmeyr, S. Forrest, and A. Somayaji. Intrusion detection using sequences of system calls. Journal of Computer Security, 6(3):151--180, 1998. Google ScholarDigital Library
- W. Lee and S. J. Stolfo. Data mining approaches for intrusion detection. In Usenix Security, 1998. Google ScholarDigital Library
- D. Ma and G. Tsudik. A new approach to secure logging. ACM Transactions on Storage, 5(1):2:1--2:21, 2009. Google ScholarDigital Library
- M. Mitzenmacher and E. Upfal. Probability and Computing: Randomized Algorithms and Probabilistic Analysis. Cambridge University Press, 2005. Google ScholarDigital Library
- A. Mohaisen and O. Alrawi. AV-meter: An evaluation of antivirus scans and labels. In Detection of Intrusions and Malware, and Vulnerability Assessment, pages 112--131. Springer, 2014.Google Scholar
- A. Mohaisen, O. Alrawi, and M. Mohaisen. Amal: High-fidelity, behavior-based automated malware analysis and classification. Computers & Security, 2015.Google ScholarCross Ref
- A. Moser, C. Kruegel, and E. Kirda. Limits of static analysis for malware detection. In Proceedings of the 23rd Computer Security Applications Conference, pages 421--430, 2007.Google ScholarCross Ref
- J. Qian, T. Hastie, J. Friedman, R. Tibshirani, and N. Simon. Glmnet for MATLAB. http://www.stanford.edu/~hastie/glmnet_matlab, 2013.Google Scholar
- N. Runwal, R. M. Low, and M. Stamp. Opcode graph similarity and metamorphic detection. Journal in Computer Virology, 8(1-2):37--52, 2012. Google ScholarDigital Library
- B. Schneier and J. Kelsey. Secure audit logs to support computer forensics. ACM Transactions on Information and System Security, 2(2):159--176, 1999. Google ScholarDigital Library
- S. Shalev-Shwartz and S. Ben-David. Understanding Machine Learning: From Theory to Algorithms. Cambridge University Press, 2014. Google ScholarDigital Library
- A. Slowinska and H. Bos. Pointless tainting?: evaluating the practicality of pointer tainting. In Proceedings of the 4th ACM European Conference on Computer Systems, pages 61--74. ACM, 2009. Google ScholarDigital Library
- R. Tibshirani. Regression shrinkage and selection via the lasso. Journal of the Royal Statistical Society. Series B (Methodological), pages 267--288, 1996.Google ScholarCross Ref
- G. Vigna. Antivirus isn't dead, it just can't keep up. http://labs.lastline.com/lastline-labs-av-isnt-dead-it-just-cant-keep-up, May 2014.Google Scholar
- C. Warrender, S. Forrest, and B. Pearlmutter. Detecting intrusions using system calls: Alternative data models. In Proceedings of the 1999 IEEE Symposium on Security and Privacy, pages 133--145. IEEE, 1999.Google ScholarCross Ref
- T.-F. Yen, A. Oprea, K. Onarlioglu, T. Leetham, W. Robertson, A. Juels, and E. Kirda. Beehive: Large-scale log analysis for detecting suspicious activity in enterprise networks. In Proceedings of the 29th Annual Computer Security Applications Conference, pages 199--208. ACM, 2013. Google ScholarDigital Library
- H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 116--127. ACM, 2007. Google ScholarDigital Library
Index Terms
- Malicious Behavior Detection using Windows Audit Logs
Recommendations
Smart malware detection on Android
Nowadays, because of its increased popularity, Android is target to a growing number of attacks and malicious applications, with the purpose of stealing private information and consuming credit by subscribing to premium services. Most of the current ...
Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed SystemsAdvanced Persistent Threat (APT) is one of the most serious types of cyber attacks, which is a new and more complex version of multistep attack. Within the APT life cycle, continuous communication between infected hosts and Command and Control (C&C) ...
Where Only Fools Dare to Tread: An Empirical Study on the Prevalence of Zero-Day Malware
ICIMP '09: Proceedings of the 2009 Fourth International Conference on Internet Monitoring and ProtectionZero-day malware is malware that is based on zero-day exploits and/or malware that is otherwise so new that it is not detected by any anti-virus or anti-malware scanners. This paper presents an empirical study that exposed updated Micsosoft Windows XP ...
Comments