Problem child: common patterns in malicious parent-child relationships

Wednesday 2 October 14:30 - 15:00, Red room

Bobby Filar (Endgame)



The rise of machine-learning-backed security platforms has helped in the identification of malicious activity by moving away from static signatures towards an approach that can extend to previously unobserved attacks. However, it’s becoming more common for malware attacks not just to consist of a standalone executable or script. Attacks often have a conspicuous process heritage that is ignored by machine-learning models that rely solely on static features (e.g. PE header metadata) to make a decision. Advanced attacker techniques such as 'living off the land', that appear normal in isolation, become more suspicious when observed in a parent-child context. The context derived from parent‑child process chains can help identify and group malware families, as well as discover novel attacker techniques. Adversaries chain these techniques together to perform persistence, defence bypasses and execution actions. A common response by defenders is to write heuristics, commonly referred to as detectors, to identify these events, but they can be noisy and lead to significant alert generation. Moreover, it is difficult to correlate the generated alerts to a larger pattern of techniques used in an attack.

We present ProblemChild, a graph-based framework designed to address these issues. ProblemChild applies machine learning to derive a weighted graph that is used to identify and group communities of seemingly disparate events into larger attack sequences. ProblemChild uses statistical methods, such as conditional probability, to automatically uncover rare (or first-seen) process-level events. In combination, this framework can be used by analysts to aid in the crafting or tuning of detectors and to reduce false positives over time. We evaluate ProblemChild in a series of experiments using OceanLotus (APT32) and APT3 attacks to demonstrate the promise in identifying anomalous parent-child process chains.

 

Bobby-Filar-web.jpg

Bobby Filar

Bobby Filar is a Director of Data Science at Endgame where he employs machine learning and natural language processing to drive cutting-edge detection and contextual understanding capabilities in Endgame's endpoint detection and response platform. In the past year he has focused on applying machine learning against process event data to provide confidence and explainability metrics for malware alerts. Previously, Bobby has worked on a variety of machine learning problems focused on natural language understanding, geospatial analysis, and adversarial tasks in the information security domain.

@filar



Back to VB2019 Programme page

Other VB2019 papers

DNS on fire

Warren Mercer (Cisco Talos)
Paul Rascagneres (Cisco Talos)

Operation Soft Cell - a worldwide campaign against telecommunication providers

Amit Serper (Cybereason)
Mor Levi (Cybereason)
Assaf Dahan (Cybereason)

Finding drive-by rookies using an automated active observation platform

Rintaro Koike (NTT Security)
Yosuke Chubachi (Active Defense Institute, Ltd / nao_sec)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.