Visible to the public A Lightweight Host-Based Intrusion Detection Based on Process Generation Patterns

TitleA Lightweight Host-Based Intrusion Detection Based on Process Generation Patterns
Publication TypeConference Paper
Year of Publication2018
AuthorsTsuda, Y., Nakazato, J., Takagi, Y., Inoue, D., Nakao, K., Terada, K.
Conference Name2018 13th Asia Joint Conference on Information Security (AsiaJCIS)
Keywordsactive processes, advanced persistent threat, advanced persistent threats, anomaly processes, anti-virus software, computer viruses, drive-by-download attacks, Electronic mail, enterprise networks, execution sequences, fileless malware, host based intrusion detection system, Human Behavior, installed applications, Intrusion detection, invasive software, lightweight host-based intrusion detection system, malicious activities, malicious e-mail attachments, management tools, Metrics, Microsoft Windows, network administrators, network-based intrusion systems, Organizations, OS vendors, PowerShell process, process generation patterns, process information, pubcrawl, Resiliency, Scalability, security of data, serious social problem, Spreadsheet programs, system constructs process trees, targeting organizations, Tools, XML
AbstractAdvanced persistent threat (APT) has been considered globally as a serious social problem since the 2010s. Adversaries of this threat, at first, try to penetrate into targeting organizations by using a backdoor which is opened with drive-by-download attacks, malicious e-mail attachments, etc. After adversaries' intruding, they usually execute benign applications (e.g, OS built-in commands, management tools published by OS vendors, etc.) for investigating networks of targeting organizations. Therefore, if they penetrate into networks once, it is difficult to rapidly detect these malicious activities only by using anti-virus software or network-based intrusion systems. Meanwhile, enterprise networks are managed well in general. That means network administrators have a good grasp of installed applications and routinely used applications for employees' daily works. Thereby, in order to find anomaly behaviors on well-managed networks, it is effective to observe changes executing their applications. In this paper, we propose a lightweight host-based intrusion detection system by using process generation patterns. Our system periodically collects lists of active processes from each host, then the system constructs process trees from the lists. In addition, the system detects anomaly processes from the process trees considering parent-child relationships, execution sequences and lifetime of processes. Moreover, we evaluated the system in our organization. The system collected 2, 403, 230 process paths in total from 498 hosts for two months, then the system could extract 38 anomaly processes. Among them, one PowerShell process was also detected by using an anti-virus software running on our organization. Furthermore, our system could filter out the other 18 PowerShell processes, which were used for maintenance of our network.
DOI10.1109/AsiaJCIS.2018.00025
Citation Keytsuda_lightweight_2018