SEQUIN: a grammar inference framework for analyzing malicious system behavior

Luh, Robert; Schramm, Gregor; Wagner, Markus; Janicke, Helge; Schrittwieser, Sebastian

doi:10.1007/s11416-018-0318-x

Cited by 7 publications

(15 citation statements)

References 49 publications

(68 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Figure 5 shows a summary. Note that "SE-QUIN" is an optional component discussed in [27]. For both binary and CAPEC multi-class classification, the core classification system utilizing SVM with hyperplane optimization offers the highest accuracy with 99.82% and 95.73%, respectively.…”

Section: Results Summarymentioning

confidence: 99%

Advanced threat intelligence: detection and classification of anomalous behavior in system processes

Luh

Schrittwieser

2019

Elektrotech. Inftech.

Self Cite

View full text Add to dashboard Cite

With the advent of Advanced Persistent Threats (APTs), it has become increasingly difficult to identify and understand attacks on computer systems. This paper presents a system capable of explaining anomalous behavior within network-enabled user sessions by describing and interpreting kernel event anomalies detected by their deviation from normal behavior.The prototype has been developed at the Josef Ressel Center for Unified Threat Intelligence on Targeted Attacks (TARGET) at St. Pölten University of Applied Sciences. Advanced Threat Intelligence: Erkennung und Klassifizierung von anomalem Verhalten in Systemprozessen. Mit dem Aufkommen von Advanced Persistent Threats (APTs) ist es immer schwieriger geworden, Angriffe aufComputersysteme zu identifizieren und zu verstehen. Diese Arbeit stellt ein System vor, das in der Lage ist, anomales Verhalten innerhalb von Benutzer-Sessions zu erklären, indem es Kernel-Ereignisanomalien beschreibt und klassifiziert, welche durch ihre Abweichung vom Normalverhalten erkannt werden. Der Prototyp wurde am Josef Ressel-Zentrum für konsolidierte Erkennung gezielter Angriffe (TARGET) an der Fachhochschule St. Pölten entwickelt.

show abstract

Section: Results Summarymentioning

confidence: 99%

Advanced threat intelligence: detection and classification of anomalous behavior in system processes

Luh

Schrittwieser

2019

Elektrotech. Inftech.

Self Cite

View full text Add to dashboard Cite

show abstract

“…For the purpose of compression we utilize prior work, SEQUIN [42], a grammar inference system based on the Sequitur algorithm, which constructs a context-free grammar (CFG) from string-based input data. Specifically, Sequitur is a greedy compression algorithm that creates a hierarchical structure 575 from a sequence of discrete symbols by recursively replacing repeated phrases with a grammatical rule [53].…”

Section: Grammar Inferencementioning

confidence: 99%

“…The full rule extraction and evaluation process is detailed in [42]. The article describes the application of our adapted Sequitur system on smart traces of kernel events associated with arbitrary processes and other security-relevant data, proving a full example grammar.…”

Section: Grammar Inferencementioning

confidence: 99%

“…The reduction of input data in particular can be helpful to decrease the complexity of lengthier analysis tasks, such as the graph-based approach discussed in this paper (see Section 4.5.1): By using SEQUIN, it is possible to slim down the input corpus to only relevant n-grams (n ≥ 2), instead of working with 590 the full, unfiltered set of event or code snippet unigrams. SEQUIN's grammar transformation mechanism [42] also enables us to work with an automatically generated placeholder variable instead of several compound terminals.…”

Section: Grammar Inferencementioning

confidence: 99%

“…See Section 5 for an evaluation of the compression component in the context of AIDIS. Refer to [42] for more information about this and other SEQUIN 595 components.…”

Section: Accepted Manuscriptmentioning

confidence: 99%

See 2 more Smart Citations

AIDIS: Detecting and classifying anomalous behavior in ubiquitous kernel processes

Luh

Janicke

Schrittwieser

2019

Computers & Security

Self Cite

View full text Add to dashboard Cite

Targeted attacks on IT systems are a rising threat against the confidentiality, integrity, and availability of critical information and infrastructures. With the rising prominence of advanced persistent threats (APTs), identifying and understanding such attacks has become increasingly important. Current signaturebased systems are heavily reliant on fixed patterns that struggle with unknown or evasive applications, while behavior-based solutions usually leave most of the interpretative work to a human analyst. In this article we propose AIDIS, an Advanced Intrusion Detection and Interpretation System capable to explain anomalous behavior within a network-enabled user session by considering kernel event anomalies identified through their deviation from a set of baseline process graphs. For this purpose we adapt star structures, a bipartite representation used to approximate the edit distance between two graphs. Baseline templates are generated automatically and adapt to the nature of the respective operating system process. We prototypically implemented smart anomaly classification through a set of competency questions applied to graph template deviations and evaluated the approach using both Random Forest and linear kernel support vector machines. The determined attack classes are ultimately mapped to a dedicated APT attacker/defender meta model that considers actions, actors, as well as assets and mitigating controls, thereby enabling decision support and contextual interpretation of ongoing attacks.

show abstract

A hierarchical layer of atomic behavior for malicious behaviors prediction

Alaeiyan

Parsa

2022

J Comput Virol Hack Tech

View full text Add to dashboard Cite

SEQUIN: a grammar inference framework for analyzing malicious system behavior

Cited by 7 publications

References 49 publications

Advanced threat intelligence: detection and classification of anomalous behavior in system processes

Advanced threat intelligence: detection and classification of anomalous behavior in system processes

AIDIS: Detecting and classifying anomalous behavior in ubiquitous kernel processes

A hierarchical layer of atomic behavior for malicious behaviors prediction

Contact Info

Product

Resources

About