Problem child: common patterns in malicious parent-child relationships

Presented at VB2019, Oct. 2, 2019, 2:30 p.m. (30 minutes)

The rise of machine-learning-backed security platforms has helped in the identification of malicious activity by moving away from static signatures towards an approach that can extend to previously unobserved attacks. However, it's becoming more common for malware attacks not just to consist of a standalone executable or script. Attacks often have a conspicuous process heritage that is ignored by machine-learning models that rely solely on static features (e.g. PE header metadata) to make a decision. Advanced attacker techniques such as 'living off the land', that appear normal in isolation, become more suspicious when observed in a parent-child context. The context derived from parent‑child process chains can help identify and group malware families, as well as discover novel attacker techniques. Adversaries chain these techniques together to perform persistence, defence bypasses and execution actions. A common response by defenders is to write heuristics, commonly referred to as detectors, to identify these events, but they can be noisy and lead to significant alert generation. Moreover, it is difficult to correlate the generated alerts to a larger pattern of techniques used in an attack.

We present ProblemChild, a graph-based framework designed to address these issues. ProblemChild applies machine learning to derive a weighted graph that is used to identify and group communities of seemingly disparate events into larger attack sequences. ProblemChild uses statistical methods, such as conditional probability, to automatically uncover rare (or first-seen) process-level events. In combination, this framework can be used by analysts to aid in the crafting or tuning of detectors and to reduce false positives over time. We evaluate ProblemChild in a series of experiments using OceanLotus (APT32) and APT3 attacks to demonstrate the promise in identifying anomalous parent-child process chains.


Presenters:

  • Bobby Filar - Endgame
    Bobby Filar Bobby Filar is a Director of Data Science at Endgame where he employs machine learning and natural language processing to drive cutting-edge detection and contextual understanding capabilities in Endgame's endpoint detection and response platform. In the past year he has focused on applying machine learning against process event data to provide confidence and explainability metrics for malware alerts. Previously, Bobby has worked on a variety of machine learning problems focused on natural language understanding, geospatial analysis, and adversarial tasks in the information security domain. @filar

Links:

Similar Presentations: