Kexin Pei
ABSTRACT
Advanced cyber attacks consist of multiple stages aimed at being stealthy and elusive. Such attack patterns leave their footprints spatio-temporally dispersed across many different logs in victim machines. However, existing log-mining intrusion analysis systems typically target only a single type of log to discover evidence of an attack and therefore fail to exploit fundamental inter-log connections. The output of such single-log analysis can hardly reveal the complete attack story for complex, multi-stage attacks. Additionally, some existing approaches require heavyweight system instrumentation, which makes them impractical to deploy in real production environments. To address these problems, we present HERCULE, an automated multi-stage log-based intrusion analysis system. Inspired by graph analytics research in social network analysis, we model multi-stage intrusion analysis as a community discovery problem. HERCULE builds multi-dimensional weighted graphs by correlating log entries across multiple lightweight logs that are readily available on commodity systems. From these, HERCULE discovers any "attack communities" embedded within the graphs. Our evaluation with 15 well known APT attack families demonstrates that HERCULE can reconstruct attack behaviors from a spectrum of cyber attacks that involve multiple stages with high accuracy and low false positive rates.
- Target ignored hacker alarms as crooks took 40m credit cards. www.theregister.co.uk/2014/03/14/target_failed_to_act_on_security_alerts/, 2014.Google Scholar
- C. Abad, J. Taylor, C. Sengul, W. Yurcik, Y. Zhou, and K. Rowe. Log correlation for intrusion detection: A proof of concept. In Proceddings of the 19th Annual Computer Security Applications Conference, 2003. Google ScholarDigital Library
- Watering hole attack on aerospace firm exploits cve-2015-5122 to install isspace backdoor. researchcenter.paloaltonetworks.com/2015/07/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/, 2015.Google Scholar
- M. Almgren and E. Jonsson. Using active learning in intrusion detection. In Proceedings of the 17th IEEE Computer Security Foundations Workshop, 2004. Google ScholarDigital Library
- J. Amann, S. Hall, and R. Sommer. Count me in: Viable distributed summary statistics for securing high-speed networks. In Proceedings of the 17th International Symposium on Research in Attacks, Intrusions and Defenses, 2014.Google ScholarCross Ref
- M. Antonakakis, R. Perdisci, W. Lee, N. Vasiloglou II, and D. Dagon. Detecting malware domains at the upper dns hierarchy. In Proceedings of the 20th USENIX Security Symposium, 2011. Google ScholarDigital Library
- M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou II, S. Abu-Nimeh, W. Lee, and D. Dagon. From throw-away traffic to bots: Detecting the rise of dga-based malware. In Proceedings of the 21st USENIX Security Symposium, 2012. Google ScholarDigital Library
- Apt kill chain - part 5 : Access strenghtening and lateral movements. http://blog.airbuscybersecurity.com/post/2014/11/APT-Kill-chain-Part-5-%3A-Access-Strenghtening-and-lateral-movements, 2014.Google Scholar
- Dtl-06282015-01: Apt on taiwan - insight into advances of adversary ttps. blog.dragonthreatlabs.com/2015/07/dtl-06282015-01-apt-on-taiwan-insight.html, 2015.Google Scholar
- M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario. Automated classification and analysis of internet malware. In Proceedings of the 10th International Symposium on Research in Attacks, Intrusions and Defenses, 2007. Google ScholarDigital Library
- L. Bilge, D. Balzarotti, W. Robertson, E. Kirda, and C. Kruegel. Disclosure: Detecting botnet command and control servers through large-scale netflow analysis. In Proceedings of the 28th Annual Computer Security Applications Conference, 2012. Google ScholarDigital Library
- Black vine: Formidable cyberespionage group targeted aerospace, healthcare since 2012. www.symantec.com/connect/blogs/black-vine-formidable-cyberespionage-group-targeted-aerospace-healthcare-2012, 2015.Google Scholar
- V. D. Blondel, J.-L. Guillaume, R. Lambiotte, and E. Lefebvre. Fast unfolding of communities in large networks. Journal of Statistical Mechanics: Theory and Experiment, 2008.Google Scholar
- K. Borders and A. Prakash. Web tap: detecting covert web traffic. In Proceedings of the 11th ACM Conference on Computer and Communications Security, 2004. Google ScholarDigital Library
- I. Buch and R. Park. Improve debugging and performance tuning with etw. MSDN Magazine, 2007.Google Scholar
- D. Canali, A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda. A quantitative study of accuracy in system call-based malware detection. In Proceedings of the 2012 International Symposium on Software Testing and Analysis, 2012. Google ScholarDigital Library
- C. Cipriano, A. Zand, A. Houmansadr, C. Kruegel, and G. Vigna. Nexat: A history-based approach to predict attacker actions. In Proceedings of the 27th Annual Computer Security Applications Conference, 2011. Google ScholarDigital Library
- Complimentary Report. www2.fireeye.com/WEB-2015RPTM-Trends.html, 2015.Google Scholar
- C. Cortes and V. Vapnik. Support-vector networks. Mach. Learn., 1995. Google ScholarDigital Library
- J. R. Crandall, G. Wassermann, D. A. de Oliveira, Z. Su, S. F. Wu, and F. T. Chong. Temporal search: Detecting hidden malware timebombs with virtual machines. In The 2006 ACM Sigplan Notices, 2006. Google ScholarDigital Library
- Cylance spear team: A threat actor resurfaces. blog.cylance.com/spear-a-threat-actor-resurfaces, 2015.Google Scholar
- S. K. Dash, G. Suarez-Tangil, S. Khan, K. Tam, M. Ahmadi, J. Kinder, and L. Cavallaro. Droidscribe: Classifying android malware based on runtime behavior. Mobile Security Technologies (MOST), 2016.Google ScholarCross Ref
- B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. Robust signatures for kernel data structures. In Proceedings of the 16th ACM Conference on Computer and Communications Security, 2009. Google ScholarDigital Library
- Duke apt group's latest tools: cloud services and linux support. www.f-secure.com/weblog/archives/00002822.html, 2015.Google Scholar
- A. Goel, W.-c. Feng, W.-c. Feng, and D. Maier. Automatic high-performance reconstruction and recovery. Computer Networks, 2007. Google ScholarDigital Library
- G. Gu, P. A. Porras, V. Yegneswaran, M. W. Fong, and W. Lee. Bothunter: Detecting malware infection through ids-driven dialog correlation. In Proceedings of the 16thth USENIX Security Symposium, 2007. Google ScholarDigital Library
- Z. Gu, K. Pei, Q. Wang, L. Si, X. Zhang, and D. Xu. Leaps: Detecting camouflaged attacks with statistical learning guided by program analysis. In Proceedings of the 45th IEEE/IFIP International Conference on Dependable Systems and Networks, 2015. Google ScholarDigital Library
- Unpatched flash player flaw, more pocs found in hacking team leak. blog.trendmicro.com/trendlabs-security-intelligence/unpatched-flash-player-flaws-more-pocs-found-in-hacking-team-leak/, 2015.Google Scholar
- X. Jiang, A. Walters, D. Xu, E. H. Spafford, F. Buchholz, and Y.-M. Wang. Provenance-aware tracing of worm break-in and contaminations: A process coloring approach. In Proceedings of the 26th IEEE International Conference on Distributed Computing Systems, 2006. Google ScholarDigital Library
- M. G. Kang, S. McCamant, P. Poosankam, and D. Song. Dta++: Dynamic taint analysis with targeted control-flow propagation. In Proceedings of the 18th Network and Distributed System Security Symposium, 2011.Google Scholar
- A. Kapravelos, Y. Shoshitaishvili, M. Cova, C. Kruegel, and G. Vigna. Revolver: An automated approach to the detection of evasive web-based malware. In Proceedings of the 22nd USENIX Security Symposium, 2013. Google ScholarDigital Library
- C. H. Kim, J. Rhee, H. Zhang, N. Arora, G. Jiang, X. Zhang, and D. Xu. Introperf: transparent context-sensitive multi-layer performance inference using system stack traces. In Proceedings of the 2014 ACM International Conference on Measurement and Modeling of Computer Systems, 2014. Google ScholarDigital Library
- T. Kim, X. Wang, N. Zeldovich, and M. F. Kaashoek. Intrusion recovery using selective re-execution. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation, 2010. Google ScholarDigital Library
- S. T. King, Z. M. Mao, D. G. Lucchetti, and P. M. Chen. Enriching intrusion alerts through multi-host causality. In Proceedings of the 12th Network and Distributed System Security Symposium, 2005.Google Scholar
- C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and efficient malware detection at the end host. In Proceedings of the 18th Conference on USENIX Security Symposium, 2009. Google ScholarDigital Library
- K. H. Lee, X. Zhang, and D. Xu. High accuracy attack provenance via binary-based execution partition. In Proceedings of the 20th Network and Distributed System Security Symposium, 2013.Google Scholar
- S. Lee and J. Kim. Warningbird: Detecting suspicious urls in twitter stream. In Proceedings of the 19th Network and Distributed System Security Symposium, 2012.Google Scholar
- Libsvm. https://www.csie.ntu.edu.tw/~cjlin/libsvm/.Google Scholar
- Louvain community detection api in python. http://perso.crans.org/aynaud/communities/api.html.Google Scholar
- S. Ma, X. Zhang, and D. Xu. Protracer: Towards practical provenance tracing by alternating between logging and tainting. In Proceedings of the 2016 Network and Distributed System Security Symposium, 2016.Google ScholarCross Ref
- F. Maggi, M. Matteucci, and S. Zanero. Detecting intrusions through system call sequence and argument analysis. IEEE Transactions on Dependable and Secure Computing, 2010. Google ScholarDigital Library
- Matlab glmfit. http://www.mathworks.com/help/stats/glmfit.html.Google Scholar
- Matlab quadratic programming. http://www.mathworks.com/help/optim/ug/quadprog.html.Google Scholar
- P. McCullagh and J. A. Nelder. Generalized linear models. CRC press, 1989.Google Scholar
- Nessus vulnerability scanner. http://www.tenable.com/products/nessus-vulnerability-scanner.Google Scholar
- J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Network and Distributed System Security Symposium, 2005.Google Scholar
- Operation clandestine fox now attacking windows xp using recently discovered ie vulnerability. www.fireeye.com/blog/threat-research/2014/05/operation-clandestine-fox-now-attacking-windows-xp-using-recently-discovered-ie-vulnerability.html, 2014.Google Scholar
- Operation deputydog: Zero-day (cve-2013-3893) attack against japanese targets. www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html, 2013.Google Scholar
- Operation russiandoll: Adobe & windows zero-day exploits likely leveraged by russia's apt28 in highly-targeted attack. www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html, 2015.Google Scholar
- Operation tropic trooper: Old vulnerabilities still pack a punch. blog.trendmicro.com/trendlabs-security-intelligence/operation-tropic-trooper-old-vulnerabilities-still-pack-a-punch/, 2015.Google Scholar
- A. Oprea, Z. Li, T.-F. Yen, S. Chin, and S. Alrwais. Detection of early-stage enterprise infection by mining large-scale log data. In Proceedings of the 45th IEEE/IFIP International Conference on Dependable Systems and Networks, 2015. Google ScholarDigital Library
- S. Peisert, M. Bishop, S. Karin, and K. Marzullo. Analysis of computer intrusions using sequences of function calls. IEEE Transactions on Dependable and Secure Computing, 2007. Google ScholarDigital Library
- F. Peng, Z. Deng, X. Zhang, D. Xu, Z. Lin, and Z. Su. X-force: Force-executing binary programs for security applications. In Proceedings of the 23rd USENIX Security Symposium, 2014. Google ScholarDigital Library
- R. Perdisci, A. Lanzi, and W. Lee. Mcboost: Boosting scalability in malware collection and analysis using statistical classification of executables. In Proceedings of the 24th Annual Computer Security Applications Conference, 2008. Google ScholarDigital Library
- H. Perl, S. Dechand, M. Smith, D. Arp, F. Yamaguchi, K. Rieck, S. Fahl, and Y. Acar. Vccfinder: Finding potential vulnerabilities in open-source projects to assist code audits. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015. Google ScholarDigital Library
- C. Piro, C. Shields, and B. N. Levine. Detecting the sybil attack in mobile ad hoc networks. In Proceddings of the 2nd International Conference on Security and Privacy in Communication Networks, 2006.Google ScholarCross Ref
- M. Polychronakis and N. Provos. Ghost turns zombie: Exploring the life cycle of web-based malware. 2008.Google Scholar
- C. Rossow and C. J. Dietrich. Provex: Detecting botnets with encrypted command and control channels. In Proceedings of the 10th SIG SIDAR Conference on Detection of Intrusions and Malware & Vulnerability Assessment. 2013. Google ScholarDigital Library
- X. Shu, D. D. Yao, and N. Ramakrishnan. Unearthing stealthy program attacks buried in extremely long execution paths. In Proceedings of the 22nd ACM Conference on Computer and Communications Security, 2015. Google ScholarDigital Library
- D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. Bitblaze: A new approach to computer security via binary analysis. In Proceedings of the 4th International Conference on Information Systems Security, 2008. Google ScholarDigital Library
- Targeted attacks against tibetan and hong kong groups exploiting cve-2014-4114. citizenlab.org/2015/06/targeted-attacks-against-tibetan-and-hong-kong-groups-exploiting-cve-2014-4114/, 2015.Google Scholar
- V. Total. Virustotal-free online virus, malware and url scanner, 2012.Google Scholar
- A. G. West, A. J. Aviv, J. Chang, and I. Lee. Spam mitigation using spatio-temporal reputations from blacklist history. In Proceedings of the 26th Annual Computer Security Applications Conference, 2010. Google ScholarDigital Library
- H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conference on Computer and Communications Security, 2007. Google ScholarDigital Library
- H. Zhang, D. D. Yao, and N. Ramakrishnan. Detection of stealthy malware activities with traffic causality and scalable triggering relation discovery. In Proceedings of the 9th ACM symposium on Information, computer and communications security, 2014. Google ScholarDigital Library
- H. Zhang, D. D. Yao, N. Ramakrishnan, and Z. Zhang. Causality reasoning about network events for detecting stealthy malware activities. computers & security, 2016. Google ScholarDigital Library
Recommendations
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systemsThe fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
Characterization, Detection and Mitigation of Low-Rate DoS attack
ICTCS '14: Proceedings of the 2014 International Conference on Information and Communication Technology for Competitive StrategiesNow a day's web services become key aspect of life. Unfortunately there are several threats to these services. These threats are phishing, e-mail borne viruses, Trojan horse programs, Denial of Service etc. Among of them Distributed Denial of Service ...
Surviving Distributed Denial-of-Service Attacks
A series of distributed denial-of-service (DDoS) attacks were launched against computer systems and services in the US and South Korea beginning July 4th. A DDoS attack is an attempt to make a computer service unavailable to its intended users. The ...
Comments