Sequitur-based Inference and Analysis Framework for Malicious System Behavior

Robert Luh, Gregor Schramm, Markus Wagner, Sebastian Schrittwieser

2017

Abstract

Targeted attacks on IT systems are a rising threat against the confidentiality of sensitive data and the availability of critical systems. With the emergence of Advanced Persistent Threats (APTs), it has become more important than ever to fully understand the particulars of such attacks. Grammar inference offers a powerful foundation for the automated extraction of behavioral patterns from sequential system traces. In order to facilitate the interpretation and analysis of APTs, we present a grammar inference system based on Sequitur, a greedy compression algorithm that constructs a context-free grammar (CFG) from string-based input data. Next to recursive rule extraction, we expanded the procedure through automated assessment routines capable of dealing with multiple input sources and types. This enables the identification of relevant patterns in sequential corpora of arbitrary quantity and size. On the formal side, we extended the CFG with attributes that help depict the extracted (malicious) actions in a comprehensive fashion. The tool’s output is automatically mapped to the grammar for further parsing and discovery-focused pattern visualization.

References

  1. Aho, A. V., Sethi, R., and Ullman, J. D. (1986). Compilers, Principles, Techniques. Addison Wesley.
  2. Bilge, L. and Dumitras, T. (2012). Before we knew it: an empirical study of zero-day attacks in the real world. In Proc. of the 2012 ACM conference on Computer and communications security, pages 833-844. ACM.
  3. Chen, M., Ebert, D., Hagen, H., Laramee, R., Van Liere, R., Ma, K.-L., Ribarsky, W., Scheuermann, G., and Silver, D. (2009). Data, information, and knowledge in visualization. Computer Graphics & Applications, 29(1):12-19.
  4. Creech, G. and Hu, J. (2014). A Semantic Approach to Host-Based Intrusion Detection Systems Using Contiguousand Discontiguous System Call Patterns. Computers, IEEE Transactions on, 63(4):807-819.
  5. Dornhackl, H., Kadletz, K., Luh, R., and Tavolato, P. (2014). Defining malicious behavior. In Ninth International Conference on Availability Reliability and Security (ARES), pages 273-278. IEEE.
  6. Eiland, E., Evans, S., Markham, T., and Impson, J. (2012). Mdl compress system and method for signature inference and masquerade intrusion detection. US Patent 8,327,443.
  7. Filiol, E., Jacob, G., and Le Liard, M. (2007). Evaluation methodology and theoretical model for antiviral behavioural detection strategies. Journal in Computer Virology, 3(1):23-37.
  8. Jacob, G., Debar, H., and Filiol, E. (2009). Malware behavioral detection by attribute-automata using abstraction from platform and language. In International Workshop on Recent Advances in Intrusion Detection, pages 81-100. Springer.
  9. Luh, R., Marschalek, S., Kaiser, M., Janicke, H., and Schrittwieser, S. (2016a). Semantics-aware detection of targeted attacks: a survey. Journal of Computer Virology and Hacking Techniques, pages 1-39.
  10. Luh, R., Schrittwieser, S., and Marschalek, S. (2016b). Taon: An ontology-based approach to mitigating targeted attacks. In Proc. of the 18th Int. Conference on Information Integration and Web-based Applications & Services. ACM.
  11. Luh, R., Schrittwieser, S., Marschalek, S., and Janicke, H. (2017). Design of an Anomaly-based Threat Detection & Explication System In Proc. of the 3rd Int. Conference on Information Systems Security & Privacy. SCITEPRESS.
  12. Marschalek, S., Luh, R., Kaiser, M., and Schrittwieser, S. (2015). Classifying malicious system behavior using event propagation trees. In Proc. of the 17th Int. Conference on Information Integration and Webbased Applications & Services. Association for Computational Linguistics.
  13. Miksch, S. and Aigner, W. (2014). A matter of time: Applying a data-users-tasks design triangle to visual analytics of time-oriented data. Computers & Graphics, 38:286-290.
  14. Munsey, C. (2013). Economic Espionage: Competing For Trade By Stealing Industrial Secrets. Accessed 2015- 09-15.
  15. Nevill-Manning, C. G. and Witten, I. H. (1997). Identifying hierarchical structure in sequences: A linear-time algorithm. J. Artif. Intell. Res. (JAIR), 7:67-82.
  16. Rieck, K., Trinius, P., Willems, C., and Holz, T. (2011). Automatic analysis of malware behavior using machine learning. Journal of Computer Security.
  17. Rozenberg, G. (1997). Handbook of graph grammars and computing by graph transformation, volume 1. World Scientific.
  18. Senin, P., Lin, J., Wang, X., Oates, T., Gandhi, S., Boedihardjo, A. P., Chen, C., and Frankenstein, S. (2015). Time series anomaly discovery with grammar-based compression. In EDBT, pages 481-492.
  19. Senin, P., Lin, J., Wang, X., Oates, T., Gandhi, S., Boedihardjo, A. P., Chen, C., Frankenstein, S., and Lerner, M. (2014). Grammarviz 2.0: a tool for grammar-based pattern discovery in time series. In Joint European Conference on Machine Learning and Knowledge Discovery in Databases, pages 468-472. Springer.
  20. Sood, A. K. and Enbody, R. J. (2013). Targeted cyberattacks: a superset of advanced persistent threats. IEEE security & privacy, (1):54-61.
  21. Symantec (2015). Symantec Internet Security Threat Report Volume 20. Whitepaper.
  22. Thomas, J. J. and Cook, K. A., editors (2005). Illuminating the Path: The Research and Development Agenda for Visual Analytics. IEEE.
  23. Wagner, M., Aigner, W., Rind, A., Dornhackl, H., Kadletz, K., Luh, R., and Tavolato, P. (2014). Problem characterization and abstraction for visual analytics in behavior-based malware pattern analysis. In Whitley, K., Engle, S., Harrison, L., Fischer, F., and Prigent, N., editors, Proc. 11th Workshop on Visualization for Cyber Security, VizSec, pages 9-16. ACM.
  24. Wagner, M., Fischer, F., Luh, R., Haberson, A., Rind, A., Keim, D., Aigner, W., Borgo, R., Ganovelli, F., and Viola, I. (2015). A Survey of Visualization Systems for Malware Analysis. In Eurographics Conference on Visualization, pages 105-125. EuroGraphics.
  25. Wegner, P. (1997). Why interaction is more powerful than algorithms. Communications of the ACM, 40(5):80- 91.
  26. Zhao, C., Kong, J., and Zhang, K. (2010). Program behavior discovery and verification: A graph grammar approach. IEEE Transactions on software Engineering, 36(3):431-448.
Download


Paper Citation


in Harvard Style

Luh R., Schramm G., Wagner M. and Schrittwieser S. (2017). Sequitur-based Inference and Analysis Framework for Malicious System Behavior . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017) ISBN 978-989-758-209-7, pages 632-643. DOI: 10.5220/0006250206320643


in Bibtex Style

@conference{forse17,
author={Robert Luh and Gregor Schramm and Markus Wagner and Sebastian Schrittwieser},
title={Sequitur-based Inference and Analysis Framework for Malicious System Behavior},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017)},
year={2017},
pages={632-643},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006250206320643},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017)
TI - Sequitur-based Inference and Analysis Framework for Malicious System Behavior
SN - 978-989-758-209-7
AU - Luh R.
AU - Schramm G.
AU - Wagner M.
AU - Schrittwieser S.
PY - 2017
SP - 632
EP - 643
DO - 10.5220/0006250206320643