Design of an Anomaly-based Threat Detection & Explication System

Robert Luh; Sebastian Schrittwieser; Stefan Marschalek; Helge Janicke

doi:10.5220/0006205203970402

Design of an Anomaly-based Threat Detection & Explication System

Robert Luh, Sebastian Schrittwieser, Stefan Marschalek, Helge Janicke

2017

Abstract

Current signature-based malware detection systems are heavily reliant on fixed patterns that struggle with unknown or evasive applications, while behavior-based solutions usually leave most of the interpretative work to a human analyst. In this paper, we propose a system able to explain anomalous behavior within a user session by considering anomalies identified through their deviation from a set of baseline process graphs. To minimize computational requirements we adapt star structures, a bipartite representation used to approximate the edit distance between two graphs. Baseline templates are generated automatically and adapt to the nature of the respective process. We prototypically implement smart anomaly explication through a number of competency questions derived and evaluated using the decision tree algorithm. The determined key factors are ultimately mapped to a dedicated APT attack stage ontology that considers actions, actors, as well as target assets.

Download

Paper Citation

in Harvard Style

Luh R., Schrittwieser S., Marschalek S. and Janicke H. (2017). Design of an Anomaly-based Threat Detection & Explication System . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 397-402. DOI: 10.5220/0006205203970402

in Bibtex Style

@conference{icissp17,
author={Robert Luh and Sebastian Schrittwieser and Stefan Marschalek and Helge Janicke},
title={Design of an Anomaly-based Threat Detection & Explication System},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={397-402},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006205203970402},
isbn={978-989-758-209-7},
}

in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Design of an Anomaly-based Threat Detection & Explication System
SN - 978-989-758-209-7
AU - Luh R.
AU - Schrittwieser S.
AU - Marschalek S.
AU - Janicke H.
PY - 2017
SP - 397
EP - 402
DO - 10.5220/0006205203970402