Triage of IoT Attacks Through Process Mining

The impressive growth of the IoT we witnessed in the recent years came together with a surge in cyber attacks that target it. Factories adhering to digital transformation programs are quickly adopting the IoT paradigm and are thus increasingly exposed to a large number of cyber threats that need to be detected, analyzed and appropriately mitigated. In this scenario, a common approach that is used in large organizations is to setup an attack triage system. In this setting, security operators can cherry-pick new attack patterns requiring further in-depth investigation from a mass of known attacks that can be managed automatically. In this paper, we propose an attack triage system that helps operators to quickly identify attacks with unknown behaviors, and later analyze them in detail. The novelty introduced by our solution is in the usage of process mining techniques to model known attacks and identify new variants. We demonstrate the feasibility of our approach through an evaluation based on three well-known IoT botnets, BASHLITE, LIGHTAIDRA and MIRAI, and on real current attack patterns collected through an IoT honeypot

Об обнаружении эксплуатации уязвимостей, приводящей к запуску вредоносного кода

Software protection from exploitation of possible unknown vulnerabilities can be performed both by searching (for example, using symbolic execution) and subsequent elimination of the vulnerabilities and by using detection and / or intrusion prevention systems. In the latter case, this problem is usually solved by forming a profile of a normal behavior and deviation from normal behavior over a predetermined threshold is regarded as an anomaly or an attack. In this paper, the task is to protect a given software P from exploiting unknown vulnerabilities. For this aim a method is proposed for constructing a profile of the normal execution of the program P, in which, in addition to a set of legal chains of system and library functions, it is proposed to take into account the distances between adjacent function calls. At the same time, a profile is formed for each program. It is assumed that taking into account the distances between function calls will reveal shell code execution using system and / or library function calls. An algorithm and a system for detecting abnormal code execution are proposed. The work carried out experiments in the case when P is the FireFox browser. During the experiments the possibility of applying the developed algorithm to identify abnormal behavior when launching publicly available exploits was investigated.Задача защиты программного обеспечения от эксплуатации возможных неизвестных уязвимостей может решаться как путем поиска (например, с помощью символьного исполнения) и последующего устранения уязвимостей, так и путем использования систем обнаружения и/или предотвращения вторжений. В последнем случае эта задача решается обычно путем формирования профиля нормального выполнения программ, а недопустимое отклонение от нормального состояния расценивается как аномалия или атака. В настоящей работе рассматривается задача защиты заданного исполнимого файла (программы) P от эксплуатации неизвестных уязвимостей в нем. Для этого предлагается способ построения профиля нормального выполнения программы P, в котором кроме набора легальных цепочек системных и библиотечных функций длины l учитывается расстояние между соседними вызовами функций, вычисляемое как разность адресов вызова соответствующих функций. Учет расстояний между вызовами функций позволяет выявлять исполнение вредоносного шеллкода, использующего вызовы системных и/или библиотечных функций, если хотя бы один из используемых в шеллкоде вызовов находится на нетипичном для программы P расстоянии от предыдущего вызова. В работе строится алгоритм и система обнаружения аномального выполнения кода и проводятся эксперименты в случае, когда P — браузер FireFox для операционной системы Windows

Interpretable Sequence Classification via Discrete Optimization

Sequence classification is the task of predicting a class label given a sequence of observations. In many applications such as healthcare monitoring or intrusion detection, early classification is crucial to prompt intervention. In this work, we learn sequence classifiers that favour early classification from an evolving observation trace. While many state-of-the-art sequence classifiers are neural networks, and in particular LSTMs, our classifiers take the form of finite state automata and are learned via discrete optimization. Our automata-based classifiers are interpretable---supporting explanation, counterfactual reasoning, and human-in-the-loop modification---and have strong empirical performance. Experiments over a suite of goal recognition and behaviour classification datasets show our learned automata-based classifiers to have comparable test performance to LSTM-based classifiers, with the added advantage of being interpretable