TDLens: Toward an empirical evaluation of provenance graph-based approach to cyber threat detection

Rui, Mei; Yan, Hanbing; Wang, Qinqin; Han, Zhihui; Lyu, Zhuohang

doi:10.23919/jcc.2022.00.028

Cited by 3 publications

(3 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Such limitations need to be addressed for a concrete ransomware early detection solution. To overcome the issues related to the length of the API calls and representation of call arguments, system provenance is gaining popularity as it utilizes graphs to present and maintain a history of system events and then leverages the characteristics of the graph to conduct threat detection and attack investigation [168]. Researchers believe that system provenance has the potential to improve the accuracy of malware and intrusion detection [63]; however, the system provenance is out of the scope of this thesis as we will utilize sequential representation for its simplicity and ease of processing.…”

Section: Problem Statementmentioning

confidence: 99%

“…Recently, many research works on intrusion and threat detection have adopted system provenance-based algorithms considering its potential in this domain [262,258,168,170,254]. The threat detection in these studies generally involves creating a provenance graph of the system's history via tagging and tracking of system events and then utilizing graph characteristics for the task [168]. Figure 2.7 presents a sample of the system provenance graph.…”

Section: Researchers Believe That System Provenance Has the Potentialmentioning

confidence: 99%

“…Recently, system provenance [182,198], a graph-based approach, has gained popularity in system monitoring for its potential in modeling the interaction and dependencies among various digital or system objects, e.g., processes, files, sockets, and users [1]. Typically, the generation of the system provenance graph is accomplished through the labeling and monitoring of system events, and the power of the graph's characteristics is then utilized for detecting threats and investigating attacks [168,198]. Provenance has been effectively utilized in some recent ransomware analysis and detection studies to model the system event or API call flow graphs, e.g., [53,169].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Automating Behavior-based Ransomware Analysis, Detection, and Classification Using Machine Learning

Abbasi¹

View full text Add to dashboard Cite

Ransomware is malware that hijacks a victim's data using encryption and demands a ransom in exchange for the decryption key. Ransomware has gained prominence due to its attack vector and the irreversible nature of damage to data. Ransomware has indiscriminately attacked individuals and organizations worldwide, disrupting their businesses and services. The number of successful ransomware attacks across the globe highlights the inadequacy of existing ransomware defense. Static and dynamic analysis are two popular approaches to malware analysis. The former does not require execution of the malware binary, whereas the latter requires executing the binary in a controlled environment. Static analysis-based detection, e.g., signature-matching, is widely adopted by commercial antivirus solutions but can be thwarted by evasion techniques, e.g., polymorphism and code obfuscation, utilized in modern malware. Consequently, dynamic analysis-based or behavior-based detection approaches have gained popularity because malware behavior cannot be changed entirely across its variants. Both signature and behavior-based detection complement each other. Behavior-based ransomware detection comes with certain challenges and problems, such as data high-dimensionality that occurs because a process may execute thousands of API calls per second. Manual inspection of these API calls for feature engineering requires an expert and is a time-intensive task. Another problem with some existing ransomware detection models is the reliance on handcrafted malice scoring functions that assign scores to the processes describing their threat levels. Other challenges to ransomware detection research include the limited availability of ransomware data sets that can be used with Machine Learning (ML) methods and their reuse scope. The scope of reuse of available data sets is limited because of their format, e.g., sequential data may be used with recurrent neural networks but not with commonly used ML-based classification algorithms, and focus, e.g., network activity and filesystem activity. For the above-mentioned reasons, ransomware detection research is generally followed by ransomware analysis. However, to the best of our knowledge, not many of the existing ransomware behavior analysis studies discuss the challenges involved in the process. This thesis aims to automate the solutions to the problems related to ransomware behavior detection and classification using evolutionary computation methods, i.e., particle swarm optimization and genetic programming, and deep neural networks, i.e., long short-term memory. This thesis proposes a wrapper feature selection method to address the high dimensionality in ransomware behavior data. The proposed method utilizes particle swarm optimization to automatically select a suitable number of features from each feature group and therefore does not require expert input. This thesis further proposes an automated method of evolving malice scoring models for ransomware detection. The proposed method formulates the problem as a symbolic regression problem and solves it using genetic programming. Unlike existing methods, the proposed method does not require expert knowledge to design the model. Furthermore, this thesis proposes an automated behavior analysis framework for highlighting challenges associated with ransomware behavior analysis and solutions to these challenges. Finally, this thesis proposes a new representation of the API call sequences that combines the API call names and important call arguments. The proposed representation of the API call sequences helped improve ransomware early detection performance. All the methods proposed in this thesis either automate the existing manual solutions or achieve comparable or better performance compared to existing methods.

show abstract

Section: Problem Statementmentioning

confidence: 99%

Section: Researchers Believe That System Provenance Has the Potentialmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Automating Behavior-based Ransomware Analysis, Detection, and Classification Using Machine Learning

Abbasi¹

View full text Add to dashboard Cite

show abstract

Considerations on Evaluation of Practical Cloud Data Protection

Rui

Yan

et al. 2022

Communications in Computer and Information Science

View full text Add to dashboard Cite

With the continuous growth of enterprises’ digital transformation, business-driven cloud computing has seen tremendous growth. The security community has proposed a large body of technical mechanisms, operational processes, and practical solutions to achieve cloud security. In addition, diverse jurisdictions also present regulatory requirements on data protection to mitigate possible risks, for instance, unauthorized access, data leakage, sensitive information and privacy disclosure. In view of this, several practical standards, frameworks, and best practices in the industry are proposed to evaluate and improve the protection level of cloud data. However, few evaluation models can conduct a comprehensive quantitative evaluation for cloud data protection that includes security, privacy, and even ethical considerations. In this paper, we first make a comprehensive review of cloud data security and privacy issues, especially also including ethical concerns that we consider as a type of specific risks caused by human factors, which refers to acting honorably, honestly, justly, and legally, due diligence, and due care. Then, we propose a novel evaluation model for cloud data protection that can quantitatively assess the protection level. Finally, based on the parallel evaluation between manual assessment by experts and our evaluation model, results show that our evaluation model is consistent with the manual evaluation conclusion.

show abstract

ROCAS: Root Cause Analysis of Autonomous Driving Accidents via Cyber-Physical Co-mutation

Feng,

Ye,

Shi

et al. 2024

Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering

View full text Add to dashboard Cite

As Autonomous driving systems (ADS) have transformed our daily life, safety of ADS is of growing significance. While various testing approaches have emerged to enhance the ADS reliability, a crucial gap remains in understanding the accidents causes. Such post-accident analysis is paramount and beneficial for enhancing ADS safety and reliability. Existing cyber-physical system (CPS) root cause analysis techniques are mainly designed for drones and cannot handle the unique challenges introduced by more complex physical environments and deep learning models deployed in ADS.In this paper, we address the gap by offering a formal definition of ADS root cause analysis problem and introducing Rocas, a novel ADS root cause analysis framework featuring cyber-physical comutation. Our technique uniquely leverages both physical and cyber mutation that can precisely identify the accident-trigger entity and pinpoint the misconfiguration of the target ADS responsible for an accident. We further design a differential analysis to identify the responsible module to reduce search space for the misconfiguration. We study 12 categories of ADS accidents and demonstrate the effectiveness and efficiency of Rocas in narrowing down search space and pinpointing the misconfiguration. We also show detailed case studies on how the identified misconfiguration helps understand rationale behind accidents.

show abstract

TDLens: Toward an empirical evaluation of provenance graph-based approach to cyber threat detection

Cited by 3 publications

References 0 publications

Automating Behavior-based Ransomware Analysis, Detection, and Classification Using Machine Learning

Automating Behavior-based Ransomware Analysis, Detection, and Classification Using Machine Learning

Considerations on Evaluation of Practical Cloud Data Protection

ROCAS: Root Cause Analysis of Autonomous Driving Accidents via Cyber-Physical Co-mutation

Contact Info

Product

Resources

About