Advanced Threat Intelligence: Interpretation of Anomalous Behavior in Ubiquitous Kernel Processes

Targeted attacks on digital infrastructures are a rising threat against the confidentiality, integrity, and availability of both IT systems and sensitive data. With the emergence of advanced persistent threats (APTs), identifying and understanding such attacks has become an increasingly difficult task. Current signature-based systems are heavily reliant on fixed patterns that struggle with unknown or evasive applications, while behavior-based solutions usually leave most of the interpretative work to a human analyst. This thesis presents a multi-stage system able to detect and classify anomalous behavior within a user session by observing and analyzing ubiquitous kernel processes. Application candidates suitable for monitoring are initially selected through an adapted sentiment mining process using a score based on the log likelihood ratio (LLR). For transparent anomaly detection within a corpus of associated events, the author utilizes star structures, a bipartite representation designed to approximate the edit distance between graphs. Templates describing nominal behavior are generated automatically and are used for the computation of both an anomaly score and a report containing all deviating events. The extracted anomalies are classified using the Random Forest (RF) and Support Vector Machine (SVM) algorithms. Ultimately, the newly labeled patterns are mapped to a dedicated APT attacker–defender model that considers objectives, actions, actors, as well as assets, thereby bridging the gap between attack indicators and detailed threat semantics. This enables both risk assessment and decision support for mitigating targeted attacks. Results show that the prototype system is capable of identifying 99.8% of all star structure anomalies as benign or malicious. In multi-class scenarios that seek to associate each anomaly with a distinct attack pattern belonging to a particular APT stage we achieve a solid accuracy of 95.7%. Furthermore, we demonstrate that 88.3% of observed attacks could be identified by analyzing and classifying a single ubiquitous Windows process for a mere 10 seconds, thereby eliminating the necessity to monitor each and every (unknown) application running on a system. With its semantic take on threat detection and classification, the proposed system offers a formal as well as technical solution to an information security challenge of great significance.The financial support by the Christian Doppler Research Association, the Austrian Federal Ministry for Digital and Economic Affairs, and the National Foundation for Research, Technology and Development is gratefully acknowledged

AIDIS: Detecting and Classifying Anomalous Behavior in UbiquitousKernel Processes

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Targeted attacks on IT systems are a rising threat against the confidentiality, integrity, and availability of critical information and infrastructures. With the rising prominence of advanced persistent threats (APTs), identifying and under-standing such attacks has become increasingly important. Current signature-based systems are heavily reliant on fixed patterns that struggle with unknown or evasive applications, while behavior-based solutions usually leave most of the interpretative work to a human analyst.In this article we propose AIDIS, an Advanced Intrusion Detection and Interpretation System capable to explain anomalous behavior within a network-enabled user session by considering kernel event anomalies identified through their deviation from a set of baseline process graphs. For this purpose we adapt star-structures, a bipartite representation used to approximate the edit distance be-tween two graphs. Baseline templates are generated automatically and adapt to the nature of the respective operating system process.We prototypically implemented smart anomaly classification through a set of competency questions applied to graph template deviations and evaluated the approach using both Random Forest and linear kernel support vector machines.The determined attack classes are ultimately mapped to a dedicated APT at-tacker/defender meta model that considers actions, actors, as well as assets and mitigating controls, thereby enabling decision support and contextual interpretation of ongoing attack

SEQUIN: a grammar inference framework for analyzing malicious system behavior

Open access articleTargeted attacks on IT systems are a rising threat to the confidentiality of sensitive data and the availability of critical systems. The emergence of Advanced Persistent Threats (APTs) made it paramount to fully understand the particulars of such attacks in order to improve or devise effective defense mechanisms. Grammar inference paired with visual analytics (VA) techniques offers a powerful foundation for the automated extraction of behavioral patterns from sequential event traces. To facilitate the interpretation and analysis of APTs, we present SEQUIN, a grammar inference system based on the Sequitur compression algorithm that constructs a context-free grammar (CFG) from string-based input data. In addition to recursive rule extraction, we expanded the procedure through automated assessment routines capable of dealing with multiple input sources and types. This automated assessment enables the accurate identification of interesting frequent or anomalous patterns in sequential corpora of arbitrary quantity and origin. On the formal side, we extended the CFG with attributes that help describe the extracted (malicious) actions. Discovery-focused pattern visualization of the output is provided by our dedicated KAMAS VA prototype

Attack States Identification in a Logical Framework of Communicating Agents

A channel is a logical space where agents make announcements publicly. Examples of such objects are forums, wikis and social networks. Several questions arise about the nature of such a statement as well as about the attitude of the agent herself in doing these announcements. Does the agent know whether the statement is true? Is this agent announcing that statement or its opposite in any other channel? Extensions to Dynamic Epistemic Logics have been proposed in the recent past that give account to public announcements. One major limit of these logics is that announcements are always considered truthful. It is however clear that, in real life, incompetent agents may announce false things, while deceitful agents may even announce things they do not believe in. In this thesis, we provide a logical framework, called Multiple Channel Logic (MCL), able to relate true statements, agent beliefs, and announcements on communication channels. We discuss syntax and semantics of this logic and show the behavior of the p

A logic of negative trust

We present a logic to model the behaviour of an agent trusting or not trusting messages sent by another agent. The logic formalises trust as a consistency checking function with respect to currently available information. Negative trust is modelled in two forms: distrust, as the rejection of incoming inconsistent information; mistrust, as revision of previously held information becoming undesirable in view of new incoming inconsistent information, which the agent wishes to accept. We provide a natural deduction calculus, a relational semantics and prove soundness and completeness results. We overview a number of applications which have been investigated for the proof-theoretical formulation of the logic

Punishment and Disgorgement as Contract Remedies

This Paper examines contract remedies, especially damage awards that are punitive or restitutionary, from the standpoint of corrective justice. The function of the damage award in corrective justice is to undo, so far as possible, the defendant\u27s violation of the plaintiff\u27s right. Because the nature of the right determines the nature of the remedy, a discussion of contract damages requires elucidation of the right infringed by a breach of contract. Drawing on Kant\u27s now almost forgotten discussion of contractual rights, the Paper sketches the relationship between the promisee\u27s right to contractual performance and expectation damages, which give the promisee the value of that right. The Kantian account of contractual right not only justifies expectation damages as compensatory in accordance with corrective justice (thus resolving the perplexity about expectation damages formulated by Fuller and Perdue), but also discloses the inaptness of requiring the disgorgement of gains resulting from contract breach. Turning then to punitive damages, the Paper addresses the question of how corrective justice and punishment—and the institutions devoted to them—coexist, and how they are differentiated in a legal order based on rights. It then discusses the difficulties that emerge from the elaborate but ultimately unsatisfying recent attempt by the Supreme Court of Canada to work out a coherent treatment of punitive damages for contract breach

Dishonest Medical Mistakes

In the medical liability wars, physicians like to think that they are the ones in the trenches. Yet the true soldiers, of course, are the patients. As patients seek to avoid the barrage of malpractice reforms and the spoliation of managed care, one of their key refuges-the fiduciary duty of health care professionals-is being assailed from a number of directions. This Article describes these attacks and suggests how best to thwart them. Imagine that you are seriously ill and go to a doctor. If you are like most patients these days, you are enrolled in some form of managed care. One consequence of this is that your doctor is a relative stranger. Another is that the doctor has a financial interest in providing you with the minimum possible amount of care, for example, foregoing beneficial diagnostic tests and ordering less expensive treatments. This can seriously harm you. How would you feel if the doctor made a mistake that harmed you, not because he was careless or forgetful--what might be called an inadvertent or honest mistake -but because the doctor made a dishonest mistake-that is, sacrificed your interests in order to benefit himself? In other words, how important is it to you that your doctor be not only competent, but committed to placing your interests ahead of his own