Living-Off-The-Land Command Detection Using Active Learning

Ongun, Talha; Stokes, Jack W.; Or, Jonathan Bar; Tian, Ke; Tajaddodianfar, Farid; Neil, Joshua; Seifert, Christian; Oprea, Alina; Platt, John

doi:10.1145/3471621.3471858

Cited by 11 publications

(7 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Finally, Ongun et al [30] adopt active learning and cmd2vec feature generation to expand the detection range to LotL threats, which encompass attacks with more system preinstallation tools and commands. Sunoh Choi [31] provides another perspective in turning detection into a graph inference problem using GNN and an adjacency matrix generation method via Jaccard similarity to detect malicious PowerShell.…”

Section: A Detection Of Malicious Powershellmentioning

confidence: 99%

“…On the other hand, recently emerging techniques such as Machine Learning (ML) and Deep Learning (DL) have shown that they could offer researchers alternative solutions [18]- [21] for developing cutting-edge methods to combat cybersecurity challenges. In general, several studies achieve better performance than traditional signature scanning and execution monitoring mechanisms, including detection with vector representation features from Abstract Syntax Tree (AST) [22]- [26], Natural Language Processing (NLP) [27]- [30], and Graph Neural Network (GNN) [31] inference to differentiate between malicious and benign scripts. However, to the best of our knowledge, previous studies by ML and DL cannot be considered conclusive as they mainly focus on binary classification that discriminates malicious PSCmds from benign ones, and often fail to reveal semantics or malicious intent behind the obfuscated PSCmds.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

PowerDP: De-Obfuscating and Profiling Malicious PowerShell Commands With Multi-Label Classifiers

Tsai

Lin

et al. 2023

IEEE Access

View full text Add to dashboard Cite

In recent years, PowerShell has become the common tool that helps attackers launch targeted attacks using living-off-the-land tactics and fileless attack techniques. Unfortunately, malwarederived PowerShell Commands (PSCmds) have typically been obfuscated to hide the malicious intent from detection and analysis. Also, malicious PSCmds' expansive use of multiple obfuscation strategies and encryption methods makes them difficult to be revealed. Despite the advances in malicious PSCmds detection incorporating new approaches such as machine learning and deep learning, there is still no consensus on the solution to de-obfuscating malicious PSCmds and profiling their behavior. To address this challenge, we propose a hybrid framework that combines deep learning and program analysis for automatic PowerShell De-obfuscation and behavioral Profiling (PowerDP) through multi-label classification in a static manner. First, we use character distribution features to forecast obfuscation types of malicious PSCmds. Second, we developed an extensive de-obfuscator utilizing static regular expression replacement to recover the original content of obfuscated PSCmds based on the predicted obfuscation types. Finally, we profile the behavior of PSCmds by features extracted from the abstract syntax tree of PSCmds after deobfuscation. Our results show that PowerDP achieves a promising 99.82% accuracy and 0.18% hamming loss in obfuscation multi-label classification using deep learning. Furthermore, the successful recovery rate of the de-obfuscator against 15 obfuscation types is 98.11% on average with semantic similarity comparison, and the accuracy of the behavior multi-label classification for identifying 5 behaviors in malicious PSCmds averages 98.53%. The evaluation indicates that PowerDP is able to classify and profile complicated PSCmds.INDEX TERMS PowerShell, de-obfuscation, machine learning, deep learning, abstract syntax trees, multi-label classification, behavioral profiling 1 https://attack.mitre.org/matrices/enterprise/ documents are still the best combinations for malware delivery media. Because people remain susceptible to manipulation, human psychological weaknesses result in the main vulnerabilities that can be exploited through social engineering, e.g., spear-phishing attacks. In this scenario, attackers typically attached a well-customized malicious document containing PowerShell Commands (PSCmds) to a forged email. Additionally, impersonation is often used in sender names or contact information to lure targets into opening malicious files.Living-off-the-Land (LotL) tactics and fileless attack VOLUME 0, 2022

show abstract

Section: A Detection Of Malicious Powershellmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

PowerDP: De-Obfuscating and Profiling Malicious PowerShell Commands With Multi-Label Classifiers

Tsai

Lin

et al. 2023

IEEE Access

View full text Add to dashboard Cite

show abstract

“…Therefore, spotting their execution does not automatically constitute malicious activity. Further enhancing methodologies using machine learning and artificial intelligence have been proposed in [56] aiming to reduce the noise and extract useful alerts. Finally, Microsoft's Sysmon [57] is used to further enhance fileless attacks detection and prevention by monitoring for specific event IDs.…”

Section: Test Environment and Implementationmentioning

confidence: 99%

Blockchain-Enabled Intrusion Detection and Prevention System of APTs Within Zero Trust Architecture

Alevizos

Eiza

et al. 2022

IEEE Access

View full text Add to dashboard Cite

In a world where organisations are embracing new IT working models such as Bring Your Own Device (BYOD) and remote working, the traditional mindset of defending the network perimeter is no longer sufficient. Zero Trust Architecture (ZTA) has recently emerged as a new security model in which the breach mindset dominates the threat model. By default, the ZTA considers any endpoint (i.e., device), user, or application to be untrusted until proven otherwise. Nonetheless, once proven by the endpoint, using Advanced Persistent Threats (APT), attackers can still take over an authenticated and authorised session via that endpoint. Therefore, they can perform several user/device centric malicious activities in addition to lateral movement rendering the endpoint as the Achilles heel of ZTA. To effectively deter APT attack capabilities on the endpoints, this work proposes a Blockchain-enabled Intrusion Detection and Prevention System (BIDPS) that augments ZTA onto endpoints. The BIDPS aims to achieve two core outcomes: first, detect and prevent attackers' techniques and tactics as per MITRE's ATT&CK enterprise matrix earlier than the lateral movement stage, and secondly, strip trust out of the endpoint itself and place it on-chain, thus creating an immutable system of explicit trust. To evaluate the effectiveness of the BIDPS, a testbed was built where techniques of over ten APTs attacks were launched against the endpoint. BIDPS has proven a high rate of success defending against the launched attacks owing to its Blockchain's immutability, fortifying the detection/prevention processes.

show abstract

“…For this task we propose a local anomaly detection module at each client, which will be trained on the unlabeled client data in order to detect the highest ranked anomalies. Prior work [7], [48], [49] shows that anomaly detection can find new malicious behavior in unlabeled data, and we leverage this observation in our design. In addition, we also select samples for labeling from the top ranked HTTP log events obtained with the current global model at each client.…”

Section: Global Model Training For Http Malware Detectionmentioning

confidence: 99%

CELEST: Federated Learning for Globally Coordinated Threat Detection

Ongun¹,

Boboila²,

Oprea³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

The cyber-threat landscape has evolved tremendously in recent years, with new threat variants emerging daily, and large-scale coordinated campaigns becoming more prevalent. In this study, we propose CELEST (CollaborativE LEarning for Scalable Threat detection), a federated machine learning framework for global threat detection over HTTP, which is one of the most commonly used protocols for malware dissemination and communication. CELEST leverages federated learning in order to collaboratively train a global model across multiple clients who keep their data locally, thus providing increased privacy and confidentiality assurances. Through a novel active learning component integrated with the federated learning technique, our system continuously discovers and learns the behavior of new, evolving, and globally-coordinated cyber threats. We show that CELEST is able to expose attacks that are largely invisible to individual organizations. For instance, in one challenging attack scenario with data exfiltration malware, the global model achieves a three-fold increase in Precision-Recall AUC compared to the local model. We deploy CELEST on two university networks and show that it is able to detect the malicious HTTP communication with high precision and low false positive rates. Furthermore, during its deployment, CELEST detected a set of previously unknown 42 malicious URLs and 20 malicious domains in one day, which were confirmed to be malicious by VirusTotal.

show abstract

Living-Off-The-Land Command Detection Using Active Learning

Cited by 11 publications

References 31 publications

PowerDP: De-Obfuscating and Profiling Malicious PowerShell Commands With Multi-Label Classifiers

PowerDP: De-Obfuscating and Profiling Malicious PowerShell Commands With Multi-Label Classifiers

Blockchain-Enabled Intrusion Detection and Prevention System of APTs Within Zero Trust Architecture

CELEST: Federated Learning for Globally Coordinated Threat Detection

Contact Info

Product

Resources

About