Design of an Anomaly-based Threat Detection & Explication System
Robert Luh, Sebastian Schrittwieser, Stefan Marschalek, Helge Janicke
2017
Abstract
Current signature-based malware detection systems are heavily reliant on fixed patterns that struggle with unknown or evasive applications, while behavior-based solutions usually leave most of the interpretative work to a human analyst. In this paper, we propose a system able to explain anomalous behavior within a user session by considering anomalies identified through their deviation from a set of baseline process graphs. To minimize computational requirements we adapt star structures, a bipartite representation used to approximate the edit distance between two graphs. Baseline templates are generated automatically and adapt to the nature of the respective process. We prototypically implement smart anomaly explication through a number of competency questions derived and evaluated using the decision tree algorithm. The determined key factors are ultimately mapped to a dedicated APT attack stage ontology that considers actions, actors, as well as target assets.
DownloadPaper Citation
in Harvard Style
Luh R., Schrittwieser S., Marschalek S. and Janicke H. (2017). Design of an Anomaly-based Threat Detection & Explication System . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 397-402. DOI: 10.5220/0006205203970402
in Bibtex Style
@conference{icissp17,
author={Robert Luh and Sebastian Schrittwieser and Stefan Marschalek and Helge Janicke},
title={Design of an Anomaly-based Threat Detection & Explication System},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={397-402},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006205203970402},
isbn={978-989-758-209-7},
}
in EndNote Style
TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Design of an Anomaly-based Threat Detection & Explication System
SN - 978-989-758-209-7
AU - Luh R.
AU - Schrittwieser S.
AU - Marschalek S.
AU - Janicke H.
PY - 2017
SP - 397
EP - 402
DO - 10.5220/0006205203970402