Deception has been proposed in the literature as an effective defense mechanism to address Advanced Persistent Threats (APT). However, administering deception in a cost-effective manner requires a good understanding of the attack landscape. The attacks mounted by APT groups are highly diverse and sophisticated in nature and can render traditional signature based intrusion detection systems useless. This necessitates the development of behavior oriented defense mechanisms. In this paper, we develop Decepticon (Deception-based countermeasure) a Hidden Markov Model based framework where the indicators of compromise (IoC) are used as the observable features to aid in detection. This framework would help in selecting an appropriate deception script when faced with APTs or other similar malware and trigger an appropriate defensive response. The effectiveness of the model and the associated framework is demonstrated by considering ransomware as the offending APT in a networked system.
more »
« less
UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats
Advanced Persistent Threats (APTs) are difficult to detect due to their “low-and-slow” attack patterns and frequent use of zero-day exploits. We present UNICORN, an anomaly-based APT detector that effectively leverages data provenance analysis. From modeling to detection, UNICORN tailors its design specifically for the unique characteristics of APTs. Through extensive yet time-efficient graph analysis, UNICORN explores provenance graphs that provide rich contextual and historical information to identify stealthy anomalous activities without pre-defined attack signatures. Using a graph sketching technique, it summarizes long-running system execution with space efficiency to combat slow-acting attacks that take place over a long time span. UNICORN further improves its detection capability using a novel modeling approach to understand long-term behavior as the system evolves. Our evaluation shows that UNICORN outperforms an existing state-of-the-art APT detection system and detects real-life APT scenarios with high accuracy.
more »
« less
- NSF-PAR ID:
- 10146528
- Date Published:
- Journal Name:
- Network and Distributed System Security Symposium
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
We present PROVNINJA, a framework designed to generate adversarial attacks that aim to elude provenance-based Machine Learning (ML) security detectors. PROVNINJA is designed to identify and craft adversarial attack vectors that statistically mimic and impersonate system programs. Leveraging the benign execution profile of system processes commonly observed across a multitude of hosts and networks, our research proposes an efficient and effective method to probe evasive alternatives and devise stealthy attack vectors that are difficult to distinguish from benign system behaviors. PROVNINJA's suggestions for evasive attacks, originally derived in the feature space, are then translated into system actions, leading to the realization of actual evasive attack sequences in the problem space. When evaluated against State-of-The-Art (SOTA) detector models using two realistic Advanced Persistent Threat (APT) scenarios and a large collection of fileless malware samples, PROVNINJA could generate and realize evasive attack variants, reducing the detection rates by up to 59%. We also assessed PROVNINJA under varying assumptions on adversaries' knowledge and capabilities. While PROVNINJA primarily considers the black-box model, we also explored two contrasting threat models that consider blind and whitebox attack scenarios.more » « less
-
Deception has been proposed in the literature as an effective defense mechanism to address Advanced Persistent Threats (APT). However, administering deception in a cost-effective manner requires a good understanding of the attack landscape. In this paper, we develop a Hidden Markov Model based framework where the indicators of compromise (IoC) are used as the observables. This framework would help in selecting an appropriate deception script and triggering the proper defensive strategy when faced with APTs or other malware. The effectiveness of the model and the associated framework are illustrated by considering ransomware as the offending APT in a networked system.more » « less
-
more » « less
Abstract Human acyl protein thioesterases (APTs) catalyze the depalmitoylation of
S ‐acylated proteins attached to the plasma membrane, facilitating reversible cycles of membrane anchoring and detachment. We previously showed that a bacterial APT homologue, FTT258 from the gram‐negative pathogenFrancisella tularensis , exists in equilibrium between a closed and open state based on the structural dynamics of a flexible loop overlapping its active site. Although the structural dynamics of this loop are not conserved in human APTs, the amino acid sequence of this loop is highly conserved, indicating essential but divergent functions for this loop in human APTs. Herein, we investigated the role of this loop in regulating the catalytic activity, ligand binding, and protein folding of human APT1, a depalmitoylase connected with cancer, immune, and neurological signaling. Using a combination of substitutional analysis with kinetic, structural, and biophysical characterization, we show that even in its divergent structural location in human APT1 that this loop still regulates the catalytic activity of APT1 through contributions to ligand binding and substrate positioning. We confirmed previously known roles for multiple residues (Phe72 and Ile74) in substrate binding and catalysis while adding new roles in substrate selectivity (Pro69), in catalytic stabilization (Asp73 and Ile75), and in transitioning between the membrane binding β‐tongue and substrate‐binding loops (Trp71). Even conservative substitution of this tryptophan (Trp71) fulcrum led to complete loss of catalytic activity, a 13°C decrease in total protein stability, and drastic drops in ligand affinity, indicating that the combination of the size, shape, and aromaticity of Trp71 are essential to the proper structure of APT1. Mixing buried hydrophobic surface area with contributions to an exposed secondary surface pocket, Trp71 represents a previously unidentified class of essential tryptophans within α/β hydrolase structure and a potential allosteric binding site within human APTs. -
Recent advances in causality analysis have enabled investigators to trace multi-stage attacks using provenance graphs. Based on system-layer audit logs (e.g., syscalls), these approaches omit vital sources of application context (e.g., email addresses, HTTP response codes) that can be found in higher layers of the system. Although such information is often essential to understanding attack behaviors, it is difficult to incorporate this evidence into causal analysis engines because of the semantic gap that exists between system layers. To address that shortcoming, we propose the notion of universal provenance, which encodes all forensically relevant causal dependencies regardless of their layer of origin. To transparently realize that vision on commodity systems, we present OmegaLog, a provenance tracker that bridges the semantic gap between system and application logging contexts. OmegaLog analyzes program binaries to identify and model application-layer logging behaviors, enabling accurate reconciliation of application events with system-layer accesses. OmegaLog then intercepts applications’ runtime logging activities and grafts those events onto the system-layer provenance graph, allowing investigators to reason more precisely about the nature of attacks. We demonstrate that our system is widely applicable to existing software projects and can transparently facilitate execution partitioning of provenance graphs without any training or developer intervention. Evaluation on real-world attack scenarios shows that our technique generates concise provenance graphs with rich semantic information relative to the state-of-the-art, with an average runtime overhead of 4%more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- The DOI is not currently available.
