skip to main content
10.1145/3230833.3233282acmotherconferencesArticle/Chapter ViewAbstractPublication PagesaresConference Proceedingsconference-collections
research-article

Hunting Observable Objects for Indication of Compromise

Published: 27 August 2018 Publication History

Abstract

Shared Threat Intelligence is often imperfect. Especially so called Indicator of Compromise might not be well constructed. This might either be the case if the threat only appeared recently and recordings do not allow for construction of high quality Indicators or the threat is only observed by sharing partners lesser capable to model the threat. However, intrusion detection based on imperfect intelligence yields low quality results. Within this paper we illustrate how one is able to overcome these shortcomings in data quality and is able to achieve solid intrusion detection.
This is done by assigning individual weights to observables listed in a STIX™ report to express their significance for detection. For evaluation, an automatized toolchain was developed to mimic the Threat Intelligence sharing ecosystem from initial detection over reporting, sharing, and determining compromise by STIX™-formated data. Multiple strategies to detect and attribute a specific threat are compared using this data, leading up to an approach yielding a F1-Score of 0.79.

References

[1]
Martin Apel and Michael Meier. 2012. Generalizing Behavioral Signatures for Detecting Unknown Malware Variants and Early Warning. PIK - Praxis der Informationsverarbeitung und Kommunikation 35, 1 (2012), 17--24.
[2]
Syam Appala, Nancy Cam-Winget, David McGrew, and Jyoti Verma. 2015. An Actionable Threat Intelligence System Using a Publish-Subscribe Communications Model. In Proceedings of the 2nd ACM Workshop on Information Sharing and Collaborative Security. ACM, 61--70.
[3]
Sean Barnum. 2012. Standardizing Cyber Threat Intelligence Information with the Structured Threat Information expression (STIX™). MITRE Corporation (2012).
[4]
Ulrich Bayer, Christopher Kruegel, and Engin Kirda. 2006. TTAnalyze: A Tool for Analyzing Malware. In Proceedings of the 15th European Institute for Computer Antivirus Research (EICAR).
[5]
Jurriaan Bremer and Thorsten Sick. 2014. VMCloak - Automated Virtual Machine Generation and Cloaking tailored for Cuckoo Sandbox. v0.1. (2014). Retrieved July 3rd, 2017 from http://vmcloak.org
[6]
Sarah Brown, Joep Gommers, and Oscar Serrano. 2015. From Cyber Security Information Sharing to Threat Management. In Proceedings of the 2nd ACM workshop on information sharing and collaborative security. ACM, 43--49.
[7]
David Brumley, Cody Hartwig, Zhenkai Liang, James Newsome, Dawn Song, and Heng Yin. 2008. Automatically Identifying Trigger-based Behavior in Malware. In Botnet Detection: Countering the Largest Security Threat. Springer, 65--88.
[8]
Stephanie Forrest, Steven A Hofmeyr, Anil Somayaji, and Thomas A Longstaff. 1996. A Sense of Self for Unix Processes. In Proceedings of the Symposium on Security and Privac. IEEE, 120--128.
[9]
Thorsten Holz, Christian Gorecki, Konrad Rieck, and Felix C Freiling. 2008. Measuring and Detecting Fast-Flux Service Networks. In Proceedings of the 3rd International Conference on Malicious and Unwanted Software (MALWARE). IEEE.
[10]
Hyang-Ah Kim and Brad Karp. 2004. Autograph: Toward Automated, Distributed Worm Signature Detection. In Proceedings of the 12th USENIX Security Symposium (USENIX Security 04, Vol. 286.
[11]
Ivan Kirillov. 2016. maec-to-stix v1.0.0 alpha 1. (2016). Retrieved May 2nd, 2018 from https://github.com/MAECProject/maec-to-stix
[12]
Ivan Kirillov, Desiree Beck, Penny Chase, and Robert Martin. 2011. Malware Attribute Enumeration and Characterization -A Structured Language for Attribute-Based Malware Characterization v4.1. Technical Report. The MITRE Corporation.
[13]
Christian Kreibich and Jon Crowcroft. 2004. Honeycomb: Creating Intrusion Detection Signatures Using Honeypots. Computer Communication Review 34, 1 (2004), 51--56.
[14]
Xiaojing Liao, Kan Yuan, XiaoFeng Wang, Zhou Li, Luyi Xing, and Raheem Beyah. 2016. Acing the IOC game: Toward automatic discovery and analysis of open-source cyber threat intelligence. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. ACM, 755--766.
[15]
MANDIANT. 2011. Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC. (2011). Retrieved July 3rd, 2017 from openioc.org
[16]
Christopher D. Manning, Prabhakar Raghavan, and Hinrich SchÃijtze. 2009. An Introduction to Information Retrieval. Cambridge University Press.
[17]
Andreas Moser and Michael I Cohen. 2013. Hunting in the Enterprise: Forensic Triage and Incident Response. Digital Investigation 10, 2 (2013), 89--98.
[18]
Net Applications. 2017. Desktop Operating System Market Share. (2017). Retrieved February 20, 2017 from https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0
[19]
James Newsome, Brad Karp, and Dawn Song. 2005. Polygraph: Automatically Generating Signatures for Polymorphic Worms. In Proceedings of the Symposium on Security and Privacy. IEEE, 226--241.
[20]
OASIS Open. 2018. Introduction to STIX. (2018). Retrieved April 28th, 2018 from https://oasis-open.github.io/cti-documentation/resources#stix-20-specification
[21]
Alberto Ortega. 2016. pafisch v058. (2016). Retrieved May 2nd, 2018 from https://github.com/a0rtega/pafish
[22]
Daniel Plohmann, Khaled Yakdan, Michael Klatt, Johannes Bader, and Elmar Gerhards-Padilla. 2016. A Comprehensive Measurement Study of Domain Generating Malware. In Proceedings of the 25th USENIX Security Symposium (USENIX Security 16). USENIX Association, 263--278.
[23]
Konrad Rieck, Thorsten Holz, Carsten Willems, Patrick Düssel, and Pavel Laskov. 2008. Learning and Classification of Malware Behavior. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 108--125.
[24]
Konrad Rieck, Philipp Trinius, Carsten Willems, and Thorsten Holz. 2011. Automatic Analysis of Malware Behavior Using Machine Learning. Journal of Computer Security 19, 4 (2011), 639--668.
[25]
Gerard Salton and Christopher Buckley. 1988. Term-Weighting Approaches in Automatic Text Retrieval. Information Processing and Management 24, 5 (1988), 513--523.
[26]
Christian Sillaber, Clemens Sauerwein, Andrea Mussmann, and Ruth Breu. 2016. Data quality challenges and future research directions in threat intelligence sharing practice. In Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security. ACM, 65--70.
[27]
Karen SpÃďrck Jones. 1972. A Statistical Interpretation of Term Specificity and its Application in Retrieval. Journal of Documentation 28, 1 (1972), 11--21.
[28]
Arnold Sykosch and Matthias Wübbeling. 2015. STIX 2 IDS. (2015). Retrieved April 28th, 2018 from https://www.iab.org/activities/workshops/caris/
[29]
The MITRE Corporation. 2017. Cyber Observable expression (CybOX™) Archive Website. (2017). Retrieved July 3rd, 2017 from https://cyboxproject.github.io
[30]
David Westcott and Lenny Zeltser. 2017. REMnux: A Linux Toolkit for Reverse-Engineering and Analyzing Malware. (2017). Retrieved February 20, 2017 from https://remnux.org
[31]
Andre Wichmann and Elmar Gerhards-Padilla. 2012. Using Infection Markers as a Vaccine Against Malware Attacks. In Proceedings of the International Conference on Green Computing and Communications (GreenCom). IEEE, 737--742.
[32]
Carsten Willems, Thorsten Holz, and Felix Freiling. 2007. Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Security & Privacy 5, 2 (2007).
[33]
Ziyun Zhu and Tudor Dumitras. 2018. ChainSmith: Automatically Learning the Semantics of Malicious Campaigns by Mining Threat Intelligence Reports. In IEEE European Symposium on Security and Privacy (EuroS&P).

Cited By

View all

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security
August 2018
603 pages
ISBN:9781450364485
DOI:10.1145/3230833
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

  • Universität Hamburg: Universität Hamburg

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 August 2018

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Indicator of Compromise
  2. Intrusion Detection
  3. Threat Intelligence

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

ARES 2018

Acceptance Rates

ARES '18 Paper Acceptance Rate 128 of 260 submissions, 49%;
Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 349
    Total Downloads
  • Downloads (Last 12 months)13
  • Downloads (Last 6 weeks)1
Reflects downloads up to 27 Jan 2025

Other Metrics

Citations

Cited By

View all

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media