{"id":1699,"date":"2022-04-06T12:03:38","date_gmt":"2022-04-06T12:03:38","guid":{"rendered":"https:\/\/sappan-project.eu\/?p=1699"},"modified":"2022-04-07T23:37:22","modified_gmt":"2022-04-07T23:37:22","slug":"for-security-analysts-a-picture-may-be-worth-more-than-a-thousand-words","status":"publish","type":"post","link":"https:\/\/sappan-project.eu\/?p=1699","title":{"rendered":"For security analysts, a picture may be worth more than a thousand words"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"1699\" class=\"elementor elementor-1699\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-a73a618 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"a73a618\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-b8697fc\" data-id=\"b8697fc\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c86d511 elementor-widget elementor-widget-heading\" data-id=\"c86d511\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Dmitriy Komashinskiy and Andrew Patel  (WithSecure)<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-dfee8da elementor-widget elementor-widget-heading\" data-id=\"dfee8da\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">In SAPPAN, we have developed several models for detecting anomalous events in endpoints. For example, we have built a model for identifying anomalous process launch events and a model for identifying anomalous \u201cmodule load\u201d operations. In order to increase the reliability of detections reported by the models and to support security analysts in handling those detections, we have experimented with combining detected anomalies in so-called provenance graphs. Our hypothesis here is that cyberattacks often result in multiple anomalies involving the same endpoint entities. This blog post presents our initial approach.<\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cc4860f elementor-widget elementor-widget-heading\" data-id=\"cc4860f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\"><br>Introduction<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-dfb8599 elementor-widget elementor-widget-text-editor\" data-id=\"dfb8599\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n<\/p><p class=\"MsoNormal\" style=\"text-align:justify\"><span style=\"font-size:12.0pt;line-height:107%\" lang=\"EN-US\">When developing cyber-attack\ndetection and response mechanisms, finding appropriate trade-offs between often\ncontradictory precision and sensitivity requirements is a serious challenge for\ntwo main reasons: (1) exaggerated sensitivity demands lead to an information\noverload which can cause security analysts to miss attacker activities due to\noverwhelming noise created by false positives, and (2) exaggerated precision demands,\non the other hand, cause the incoming stream of potentially relevant signals to\nbe narrowed down and result in attacker operation detections going unnoticed\nuntil it is too late. One way to solve this problem is to develop auxiliary\napproaches and tools that illustrate how a computer system flagged as \u201cpotentially\nunder attack\u201d came to be in that state. <\/span><\/p>\n\n<p class=\"MsoNormal\" style=\"text-align:justify\"><span style=\"font-size:12.0pt;line-height:107%\" lang=\"EN-US\">Traditionally, approaches for\ndetecting malware and cyber-attacks are divided into two groups: misuse\ndetection and anomaly detection. Well known examples from the former group rely\non descriptions of static and dynamic patterns of attacks that are encapsulated\nin detection rules written by experts. The latter encompasses various\napproaches to determining uncommon states and behaviours that include heuristics,\nstatistical methods, machine learning techniques, and so forth.<\/span><\/p>\n\n<p class=\"MsoNormal\" style=\"text-align:justify\"><span style=\"font-size:12.0pt;line-height:107%\" lang=\"EN-US\">In SAPPAN, we have developed a set of\nmodels designed to detect specific classes of anomalous endpoint behaviour and\na method for presenting connections among detected anomalies as a node-edge graph.\nIn this article, we illustrate how our proposed methodology \u2013 a combination of elements\nof state provenance and statistical anomaly detection \u2013 can be used to help\nanalysts, threat hunters and incident investigators in their day-to-day\nactivities. <\/span><\/p>\n\n\n\n\n\n<p><style>@font-face\n\t{font-family:\"Cambria Math\";\n\tpanose-1:2 4 5 3 5 4 6 3 2 4;\n\tmso-font-charset:0;\n\tmso-generic-font-family:roman;\n\tmso-font-pitch:variable;\n\tmso-font-signature:3 0 0 0 1 0;}@font-face\n\t{font-family:Calibri;\n\tpanose-1:2 15 5 2 2 2 4 3 2 4;\n\tmso-font-charset:0;\n\tmso-generic-font-family:swiss;\n\tmso-font-pitch:variable;\n\tmso-font-signature:-469750017 -1073732485 9 0 511 0;}p.MsoNormal, li.MsoNormal, div.MsoNormal\n\t{mso-style-unhide:no;\n\tmso-style-qformat:yes;\n\tmso-style-parent:\"\";\n\tmargin-top:0cm;\n\tmargin-right:0cm;\n\tmargin-bottom:8.0pt;\n\tmargin-left:0cm;\n\tline-height:107%;\n\tmso-pagination:widow-orphan;\n\tfont-size:11.0pt;\n\tfont-family:\"Calibri\",sans-serif;\n\tmso-ascii-font-family:Calibri;\n\tmso-ascii-theme-font:minor-latin;\n\tmso-fareast-font-family:Calibri;\n\tmso-fareast-theme-font:minor-latin;\n\tmso-hansi-font-family:Calibri;\n\tmso-hansi-theme-font:minor-latin;\n\tmso-bidi-font-family:Arial;\n\tmso-bidi-theme-font:minor-bidi;\n\tmso-ansi-language:EN-US;\n\tmso-fareast-language:EN-US;}.MsoChpDefault\n\t{mso-style-type:export-only;\n\tmso-default-props:yes;\n\tfont-size:11.0pt;\n\tmso-ansi-font-size:11.0pt;\n\tmso-bidi-font-size:11.0pt;\n\tfont-family:\"Calibri\",sans-serif;\n\tmso-ascii-font-family:Calibri;\n\tmso-ascii-theme-font:minor-latin;\n\tmso-fareast-font-family:Calibri;\n\tmso-fareast-theme-font:minor-latin;\n\tmso-hansi-font-family:Calibri;\n\tmso-hansi-theme-font:minor-latin;\n\tmso-bidi-font-family:Arial;\n\tmso-bidi-theme-font:minor-bidi;\n\tmso-ansi-language:EN-US;\n\tmso-fareast-language:EN-US;}.MsoPapDefault\n\t{mso-style-type:export-only;\n\tmargin-bottom:8.0pt;\n\tline-height:107%;}div.WordSection1\n\t{page:WordSection1;}<\/style><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9efa390 elementor-widget elementor-widget-heading\" data-id=\"9efa390\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h4 class=\"elementor-heading-title elementor-size-default\">Our approach<\/h4>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e9a9d9a elementor-widget elementor-widget-text-editor\" data-id=\"e9a9d9a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n<\/p><p class=\"MsoNormal\" style=\"text-align:justify\"><span style=\"font-size:12.0pt;line-height:107%\" lang=\"EN-US\">A standalone computer system can be\nthought of as a set of computer programs (further referred to as processes)\ncommunicating with each other and the host (endpoint) operating system via various\nAPI calls and messaging protocols. Supporting entities and concepts include but\nare not limited to process address space, synchronization objects, file system,\nsystem registry, and network communication primitives. Another important notion\n\u2013 events \u2013 captures how processes interact with entities. Event Tracing on\nWindows and Audit frameworks on Linux can be used to obtain information about the\nrationales and structures of such events (we are naturally interested in cyber\nsecurity-relevant ones). <\/span><\/p>\n\n<p class=\"MsoNormal\" style=\"text-align:justify\"><span style=\"font-size:12.0pt;line-height:107%\" lang=\"EN-US\">Every distinct event type can be\nrepresented in a compact form that includes its subject (used to describe an\nactive process), object (description of an entity the subject interacts with)\nand attributes of the interaction. We treat each event type separately and\ndesign and train dedicated statistical anomaly detection models to categorize\nevents with respect to their anomalousness. Trained anomaly detection models then\nassess incoming endpoint events in real-time and assign anomalousness\ncategories to those events. In this setting, we assume that events that are valuable\nfrom a cyber security perspective possess a certain degree of anomalousness, and\nwe, therefore, treat such events as informative for security analysts. Events\nidentified as common (or normal) are not considered in the scope of this\napproach and should be handled by other mechanisms.<\/span><\/p>\n\n<p class=\"MsoNormal\" style=\"text-align:justify\"><span style=\"font-size:12.0pt;line-height:107%\" lang=\"EN-US\">Our approach firstly collects and identifies\nanomalous events. Next, a graph is constructed where edges represent anomalous events\nand nodes represent the subjects and objects of those events. <\/span><\/p>\n\n\n\n\n\n<p><style>@font-face\n\t{font-family:\"Cambria Math\";\n\tpanose-1:2 4 5 3 5 4 6 3 2 4;\n\tmso-font-charset:0;\n\tmso-generic-font-family:roman;\n\tmso-font-pitch:variable;\n\tmso-font-signature:3 0 0 0 1 0;}@font-face\n\t{font-family:Calibri;\n\tpanose-1:2 15 5 2 2 2 4 3 2 4;\n\tmso-font-charset:0;\n\tmso-generic-font-family:swiss;\n\tmso-font-pitch:variable;\n\tmso-font-signature:-469750017 -1073732485 9 0 511 0;}p.MsoNormal, li.MsoNormal, div.MsoNormal\n\t{mso-style-unhide:no;\n\tmso-style-qformat:yes;\n\tmso-style-parent:\"\";\n\tmargin-top:0cm;\n\tmargin-right:0cm;\n\tmargin-bottom:8.0pt;\n\tmargin-left:0cm;\n\tline-height:107%;\n\tmso-pagination:widow-orphan;\n\tfont-size:11.0pt;\n\tfont-family:\"Calibri\",sans-serif;\n\tmso-ascii-font-family:Calibri;\n\tmso-ascii-theme-font:minor-latin;\n\tmso-fareast-font-family:Calibri;\n\tmso-fareast-theme-font:minor-latin;\n\tmso-hansi-font-family:Calibri;\n\tmso-hansi-theme-font:minor-latin;\n\tmso-bidi-font-family:Arial;\n\tmso-bidi-theme-font:minor-bidi;\n\tmso-ansi-language:EN-US;\n\tmso-fareast-language:EN-US;}.MsoChpDefault\n\t{mso-style-type:export-only;\n\tmso-default-props:yes;\n\tfont-size:11.0pt;\n\tmso-ansi-font-size:11.0pt;\n\tmso-bidi-font-size:11.0pt;\n\tfont-family:\"Calibri\",sans-serif;\n\tmso-ascii-font-family:Calibri;\n\tmso-ascii-theme-font:minor-latin;\n\tmso-fareast-font-family:Calibri;\n\tmso-fareast-theme-font:minor-latin;\n\tmso-hansi-font-family:Calibri;\n\tmso-hansi-theme-font:minor-latin;\n\tmso-bidi-font-family:Arial;\n\tmso-bidi-theme-font:minor-bidi;\n\tmso-ansi-language:EN-US;\n\tmso-fareast-language:EN-US;}.MsoPapDefault\n\t{mso-style-type:export-only;\n\tmargin-bottom:8.0pt;\n\tline-height:107%;}div.WordSection1\n\t{page:WordSection1;}<\/style><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cfb11db elementor-widget elementor-widget-image\" data-id=\"cfb11db\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"698\" height=\"297\" src=\"https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture-1-698x297.png\" class=\"attachment-large size-large wp-image-1711\" alt=\"\" srcset=\"https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture-1-698x297.png 698w, https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture-1-400x170.png 400w, https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture-1-768x327.png 768w, https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture-1-1536x653.png 1536w, https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture-1.png 1958w\" sizes=\"(max-width: 698px) 100vw, 698px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 1: Examples of node-edge relationships adopted by our methodology<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f9a00e3 elementor-widget elementor-widget-text-editor\" data-id=\"f9a00e3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"MsoNormal\" style=\"text-align:justify\"><span style=\"font-size:12.0pt;line-height:107%\" lang=\"EN-US\">Figure 1 illustrates our adopted\nnotation and presents examples of nodes and edges between processes, shared\nlibraries, file system locations, hosts, registry keys, and so on. Let us\nconsider, for example, a new process creation event type. Both subject and object\nentities are processes depicted by circles and labeled with the executable\nimage file names. The direction of the edge arrow denotes a parent (subject) to\nchild (object) process relationship. Node and edge colors represent anomalousness.\nA circle with a solid border represents a process that was found to be involved\nin suspicious activities by misuse detection logic mechanisms (typically based\non rules).<\/span><\/p>\n\n\n\n\n\n<style>@font-face\n\t{font-family:\"Cambria Math\";\n\tpanose-1:2 4 5 3 5 4 6 3 2 4;\n\tmso-font-charset:0;\n\tmso-generic-font-family:roman;\n\tmso-font-pitch:variable;\n\tmso-font-signature:3 0 0 0 1 0;}@font-face\n\t{font-family:Calibri;\n\tpanose-1:2 15 5 2 2 2 4 3 2 4;\n\tmso-font-charset:0;\n\tmso-generic-font-family:swiss;\n\tmso-font-pitch:variable;\n\tmso-font-signature:-469750017 -1073732485 9 0 511 0;}p.MsoNormal, li.MsoNormal, div.MsoNormal\n\t{mso-style-unhide:no;\n\tmso-style-qformat:yes;\n\tmso-style-parent:\"\";\n\tmargin-top:0cm;\n\tmargin-right:0cm;\n\tmargin-bottom:8.0pt;\n\tmargin-left:0cm;\n\tline-height:107%;\n\tmso-pagination:widow-orphan;\n\tfont-size:11.0pt;\n\tfont-family:\"Calibri\",sans-serif;\n\tmso-ascii-font-family:Calibri;\n\tmso-ascii-theme-font:minor-latin;\n\tmso-fareast-font-family:Calibri;\n\tmso-fareast-theme-font:minor-latin;\n\tmso-hansi-font-family:Calibri;\n\tmso-hansi-theme-font:minor-latin;\n\tmso-bidi-font-family:Arial;\n\tmso-bidi-theme-font:minor-bidi;\n\tmso-ansi-language:EN-US;\n\tmso-fareast-language:EN-US;}.MsoChpDefault\n\t{mso-style-type:export-only;\n\tmso-default-props:yes;\n\tfont-size:11.0pt;\n\tmso-ansi-font-size:11.0pt;\n\tmso-bidi-font-size:11.0pt;\n\tfont-family:\"Calibri\",sans-serif;\n\tmso-ascii-font-family:Calibri;\n\tmso-ascii-theme-font:minor-latin;\n\tmso-fareast-font-family:Calibri;\n\tmso-fareast-theme-font:minor-latin;\n\tmso-hansi-font-family:Calibri;\n\tmso-hansi-theme-font:minor-latin;\n\tmso-bidi-font-family:Arial;\n\tmso-bidi-theme-font:minor-bidi;\n\tmso-ansi-language:EN-US;\n\tmso-fareast-language:EN-US;}.MsoPapDefault\n\t{mso-style-type:export-only;\n\tmargin-bottom:8.0pt;\n\tline-height:107%;}div.WordSection1\n\t{page:WordSection1;}<\/style>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6a3127c elementor-widget elementor-widget-image\" data-id=\"6a3127c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"698\" height=\"287\" src=\"https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture2-698x287.png\" class=\"attachment-large size-large wp-image-1712\" alt=\"\" srcset=\"https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture2-698x287.png 698w, https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture2-400x165.png 400w, https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture2-768x316.png 768w, https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture2.png 1430w\" sizes=\"(max-width: 698px) 100vw, 698px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 2: An example provenance graph created from a process tree on an endpoint running Microsoft Windows<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d6bc4f2 elementor-widget elementor-widget-text-editor\" data-id=\"d6bc4f2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n<\/p><p class=\"MsoNormal\" style=\"text-align:justify\"><span style=\"font-size:12.0pt;line-height:107%\" lang=\"EN-US\">An example of a simple provenance\ngraph is given in Figure 2. In order to collect a node\u2019s state provenance, that\nnode\u2019s path is traced back through the graph to the root node (\u201cSystem\u201d process\nin Figure 2). <\/span><span style=\"font-size:12.0pt;line-height:107%;\nmso-ascii-font-family:Calibri;mso-fareast-font-family:&quot;Times New Roman&quot;;\nmso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri\" lang=\"EN-US\">Braun et al. in the\npaper \u201cSecuring Provenance\u201d (2008) define provenance as follows:<\/span><span style=\"font-size:12.0pt;line-height:107%\" lang=\"EN-US\"><\/span><\/p>\n\n<p class=\"MsoNormal\" style=\"margin-left:36.0pt;text-align:justify\"><span style=\"font-size:12.0pt;line-height:107%;mso-ascii-font-family:Calibri;\nmso-fareast-font-family:&quot;Times New Roman&quot;;mso-hansi-font-family:Calibri;\nmso-bidi-font-family:Calibri\" lang=\"EN-US\">\u201cProvenance describes how an object came to be in\nits present state. Provenance is a causality graph with annotations. The\ncausality graph connects the various participating objects describing the\nprocess that produced an object\u2019s present state. Each node represents an\nobject, and each edge represents a relationship between two objects. This graph\nis an immutable directed acyclic graph.\u201d<\/span><\/p>\n\n<p class=\"MsoNormal\" style=\"text-align:justify\"><span style=\"font-size:12.0pt;line-height:107%\" lang=\"EN-US\">For the sake of simplicity, the graph\nin Figure 2 is trimmed (some processes irrelevant to our example have been\nremoved). The illustrated structure highlights the existence of key system and\nuser processes found at the right and left sides of the graph. <\/span><span style=\"font-size:12.0pt;line-height:107%;mso-ascii-font-family:Calibri;\nmso-fareast-font-family:&quot;Times New Roman&quot;;mso-hansi-font-family:Calibri;\nmso-bidi-font-family:Calibri\" lang=\"EN-US\"><\/span><\/p>\n\n<p class=\"MsoNormal\" style=\"text-align:justify\"><span style=\"font-size:12.0pt;line-height:107%\" lang=\"EN-US\">Readers skilled in cyber security\nmatters will notice that the above example represents activities associated\nwith a type of cyber-attack. Misuse detection techniques can be used to\nidentify processes that are commonly involved in cyber-attacks. In the example\npresented in Figure 2, applying detection of suspicious command line parameters,\nmemory scanning, static and dynamic analysis of executables and processes, and\nother common misuse detection techniques enable us to highlight suspicious\nprocesses with bold borders, and thus derive the graph depicted in Figure 3. <\/span><span style=\"font-size:12.0pt;line-height:107%;mso-ascii-font-family:Calibri;\nmso-fareast-font-family:&quot;Times New Roman&quot;;mso-hansi-font-family:Calibri;\nmso-bidi-font-family:Calibri\" lang=\"EN-US\"><\/span><\/p>\n\n\n\n\n\n<p><style>@font-face\n\t{font-family:\"Cambria Math\";\n\tpanose-1:2 4 5 3 5 4 6 3 2 4;\n\tmso-font-charset:0;\n\tmso-generic-font-family:roman;\n\tmso-font-pitch:variable;\n\tmso-font-signature:3 0 0 0 1 0;}@font-face\n\t{font-family:Calibri;\n\tpanose-1:2 15 5 2 2 2 4 3 2 4;\n\tmso-font-charset:0;\n\tmso-generic-font-family:swiss;\n\tmso-font-pitch:variable;\n\tmso-font-signature:-469750017 -1073732485 9 0 511 0;}p.MsoNormal, li.MsoNormal, div.MsoNormal\n\t{mso-style-unhide:no;\n\tmso-style-qformat:yes;\n\tmso-style-parent:\"\";\n\tmargin-top:0cm;\n\tmargin-right:0cm;\n\tmargin-bottom:8.0pt;\n\tmargin-left:0cm;\n\tline-height:107%;\n\tmso-pagination:widow-orphan;\n\tfont-size:11.0pt;\n\tfont-family:\"Calibri\",sans-serif;\n\tmso-ascii-font-family:Calibri;\n\tmso-ascii-theme-font:minor-latin;\n\tmso-fareast-font-family:Calibri;\n\tmso-fareast-theme-font:minor-latin;\n\tmso-hansi-font-family:Calibri;\n\tmso-hansi-theme-font:minor-latin;\n\tmso-bidi-font-family:Arial;\n\tmso-bidi-theme-font:minor-bidi;\n\tmso-ansi-language:EN-US;\n\tmso-fareast-language:EN-US;}.MsoChpDefault\n\t{mso-style-type:export-only;\n\tmso-default-props:yes;\n\tfont-size:11.0pt;\n\tmso-ansi-font-size:11.0pt;\n\tmso-bidi-font-size:11.0pt;\n\tfont-family:\"Calibri\",sans-serif;\n\tmso-ascii-font-family:Calibri;\n\tmso-ascii-theme-font:minor-latin;\n\tmso-fareast-font-family:Calibri;\n\tmso-fareast-theme-font:minor-latin;\n\tmso-hansi-font-family:Calibri;\n\tmso-hansi-theme-font:minor-latin;\n\tmso-bidi-font-family:Arial;\n\tmso-bidi-theme-font:minor-bidi;\n\tmso-ansi-language:EN-US;\n\tmso-fareast-language:EN-US;}.MsoPapDefault\n\t{mso-style-type:export-only;\n\tmargin-bottom:8.0pt;\n\tline-height:107%;}div.WordSection1\n\t{page:WordSection1;}<\/style><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5f833a6 elementor-widget elementor-widget-image\" data-id=\"5f833a6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"698\" height=\"295\" src=\"https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture3-698x295.png\" class=\"attachment-large size-large wp-image-1713\" alt=\"\" srcset=\"https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture3-698x295.png 698w, https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture3-400x169.png 400w, https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture3-768x325.png 768w, https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture3.png 1430w\" sizes=\"(max-width: 698px) 100vw, 698px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 3: Suspicious processes (as determined by misuse detection methods) highlighted with a bold border.<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-48c46db elementor-widget elementor-widget-text-editor\" data-id=\"48c46db\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n<\/p><p class=\"MsoNormal\" style=\"text-align:justify\"><span style=\"font-size:12.0pt;line-height:107%;mso-ascii-font-family:Calibri;\nmso-fareast-font-family:&quot;Times New Roman&quot;;mso-hansi-font-family:Calibri;\nmso-bidi-font-family:Calibri\" lang=\"EN-US\">The process chains depicted in Figure 3 that\ninclude highlighted suspicious processes allow us to understand the origins of and\nthe actions performed during the attack. <\/span><\/p>\n\n<p class=\"MsoNormal\" style=\"text-align:justify\"><span style=\"font-size:12.0pt;line-height:107%;mso-ascii-font-family:Calibri;\nmso-fareast-font-family:&quot;Times New Roman&quot;;mso-hansi-font-family:Calibri;\nmso-bidi-font-family:Calibri\" lang=\"EN-US\">Since rare activities cause rare side effects (that\ncan also be considered rare events), and attack activities are typically rare, we\nexpect attacks to leave \u201cripples\u201d (i.e., uncommon events that may seem\nirrelevant) in the log traces of computer systems. Given this fact, we can\naugment process chains with information regarding statistically uncommon (anomalous)\nevents in order to improve our ability to detect attacks. Some of the edges in a\nprocess tree can point to these uncommon events. For instance, in the example\ndepicted in Figure 3, the console applications net.exe and reg.exe usually work\nin the context of command line interpreters like cmd.exe and powershell.exe. In\nthe illustrated process tree, however, we see that they were instead called\ndirectly by the program manager process \u2013 explorer.exe. Although it is wrong to\nassume that such explorer.exe behaviour is reliably indicative of an attack, it\nis useful to highlight such an observation to security analysts, especially in\nuncertain cases. <\/span><\/p>\n\n<p class=\"MsoNormal\" style=\"text-align:justify\"><span style=\"font-size:12.0pt;line-height:107%;mso-ascii-font-family:Calibri;\nmso-fareast-font-family:&quot;Times New Roman&quot;;mso-hansi-font-family:Calibri;\nmso-bidi-font-family:Calibri\" lang=\"EN-US\">A number of event types exist that can be utilized\nto augment a process tree. These provide a backbone for defining connections\nbetween the main subjects (processes) of interesting events that can occur on a\ncomputer system. Figure 4 illustrates how uncommon new process, open process,\nnetwork connection, and file access events \u201cgroup together\u201d in the process trees\nshown in the previous Figures. Note that the provided illustration does not\ncompletely conform to the provenance graph requirement that these graphs be\ndirected and acyclic.<\/span><\/p>\n\n\n\n\n\n<p><style>@font-face\n\t{font-family:\"Cambria Math\";\n\tpanose-1:2 4 5 3 5 4 6 3 2 4;\n\tmso-font-charset:0;\n\tmso-generic-font-family:roman;\n\tmso-font-pitch:variable;\n\tmso-font-signature:3 0 0 0 1 0;}@font-face\n\t{font-family:Calibri;\n\tpanose-1:2 15 5 2 2 2 4 3 2 4;\n\tmso-font-charset:0;\n\tmso-generic-font-family:swiss;\n\tmso-font-pitch:variable;\n\tmso-font-signature:-469750017 -1073732485 9 0 511 0;}p.MsoNormal, li.MsoNormal, div.MsoNormal\n\t{mso-style-unhide:no;\n\tmso-style-qformat:yes;\n\tmso-style-parent:\"\";\n\tmargin-top:0cm;\n\tmargin-right:0cm;\n\tmargin-bottom:8.0pt;\n\tmargin-left:0cm;\n\tline-height:107%;\n\tmso-pagination:widow-orphan;\n\tfont-size:11.0pt;\n\tfont-family:\"Calibri\",sans-serif;\n\tmso-ascii-font-family:Calibri;\n\tmso-ascii-theme-font:minor-latin;\n\tmso-fareast-font-family:Calibri;\n\tmso-fareast-theme-font:minor-latin;\n\tmso-hansi-font-family:Calibri;\n\tmso-hansi-theme-font:minor-latin;\n\tmso-bidi-font-family:Arial;\n\tmso-bidi-theme-font:minor-bidi;\n\tmso-ansi-language:EN-US;\n\tmso-fareast-language:EN-US;}.MsoChpDefault\n\t{mso-style-type:export-only;\n\tmso-default-props:yes;\n\tfont-size:11.0pt;\n\tmso-ansi-font-size:11.0pt;\n\tmso-bidi-font-size:11.0pt;\n\tfont-family:\"Calibri\",sans-serif;\n\tmso-ascii-font-family:Calibri;\n\tmso-ascii-theme-font:minor-latin;\n\tmso-fareast-font-family:Calibri;\n\tmso-fareast-theme-font:minor-latin;\n\tmso-hansi-font-family:Calibri;\n\tmso-hansi-theme-font:minor-latin;\n\tmso-bidi-font-family:Arial;\n\tmso-bidi-theme-font:minor-bidi;\n\tmso-ansi-language:EN-US;\n\tmso-fareast-language:EN-US;}.MsoPapDefault\n\t{mso-style-type:export-only;\n\tmargin-bottom:8.0pt;\n\tline-height:107%;}div.WordSection1\n\t{page:WordSection1;}<\/style><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-35c69ac elementor-widget elementor-widget-image\" data-id=\"35c69ac\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"698\" height=\"573\" src=\"https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture4-698x573.png\" class=\"attachment-large size-large wp-image-1714\" alt=\"\" srcset=\"https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture4-698x573.png 698w, https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture4-400x328.png 400w, https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture4-768x630.png 768w, https:\/\/sappan-project.eu\/wp-content\/uploads\/2022\/04\/Picture4.png 1430w\" sizes=\"(max-width: 698px) 100vw, 698px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Figure 4: The color-coded provenance graph presented to security analysts<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e492a13 elementor-widget elementor-widget-text-editor\" data-id=\"e492a13\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n<\/p><p class=\"MsoNormal\" style=\"text-align:justify\"><span style=\"font-size:12.0pt;line-height:107%\" lang=\"EN-US\">A security analyst can quickly and\neasily read a graph such as the one presented in Figure 4 to understand how a\ncomputer system came to its present (suspicious) state and thus understand whether\nan attack is ongoing, and if so, identify affected processes and entities.\nColored edges in the illustration point to anomalous events, and colored\ncircles represent entities (processes, IP addresses) observed in anomalous\ncontexts. This graph representation provides security analysts with rich context,\nenabling faster decision making and supporting in response actions planning. It\nhas often been noted that a picture is worth a thousand words. For security\nanalysts facing increasing alert fatigue, these pictures may be worth a whole\nlot more.<\/span><\/p>\n\n\n\n\n\n<p><style>@font-face\n\t{font-family:\"Cambria Math\";\n\tpanose-1:2 4 5 3 5 4 6 3 2 4;\n\tmso-font-charset:0;\n\tmso-generic-font-family:roman;\n\tmso-font-pitch:variable;\n\tmso-font-signature:3 0 0 0 1 0;}@font-face\n\t{font-family:Calibri;\n\tpanose-1:2 15 5 2 2 2 4 3 2 4;\n\tmso-font-charset:0;\n\tmso-generic-font-family:swiss;\n\tmso-font-pitch:variable;\n\tmso-font-signature:-469750017 -1073732485 9 0 511 0;}p.MsoNormal, li.MsoNormal, div.MsoNormal\n\t{mso-style-unhide:no;\n\tmso-style-qformat:yes;\n\tmso-style-parent:\"\";\n\tmargin-top:0cm;\n\tmargin-right:0cm;\n\tmargin-bottom:8.0pt;\n\tmargin-left:0cm;\n\tline-height:107%;\n\tmso-pagination:widow-orphan;\n\tfont-size:11.0pt;\n\tfont-family:\"Calibri\",sans-serif;\n\tmso-ascii-font-family:Calibri;\n\tmso-ascii-theme-font:minor-latin;\n\tmso-fareast-font-family:Calibri;\n\tmso-fareast-theme-font:minor-latin;\n\tmso-hansi-font-family:Calibri;\n\tmso-hansi-theme-font:minor-latin;\n\tmso-bidi-font-family:Arial;\n\tmso-bidi-theme-font:minor-bidi;\n\tmso-ansi-language:EN-US;\n\tmso-fareast-language:EN-US;}.MsoChpDefault\n\t{mso-style-type:export-only;\n\tmso-default-props:yes;\n\tfont-size:11.0pt;\n\tmso-ansi-font-size:11.0pt;\n\tmso-bidi-font-size:11.0pt;\n\tfont-family:\"Calibri\",sans-serif;\n\tmso-ascii-font-family:Calibri;\n\tmso-ascii-theme-font:minor-latin;\n\tmso-fareast-font-family:Calibri;\n\tmso-fareast-theme-font:minor-latin;\n\tmso-hansi-font-family:Calibri;\n\tmso-hansi-theme-font:minor-latin;\n\tmso-bidi-font-family:Arial;\n\tmso-bidi-theme-font:minor-bidi;\n\tmso-ansi-language:EN-US;\n\tmso-fareast-language:EN-US;}.MsoPapDefault\n\t{mso-style-type:export-only;\n\tmargin-bottom:8.0pt;\n\tline-height:107%;}div.WordSection1\n\t{page:WordSection1;}<\/style><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-76e56de elementor-widget elementor-widget-heading\" data-id=\"76e56de\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h6 class=\"elementor-heading-title elementor-size-default\">About the authors:<\/h6>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d44072a elementor-widget elementor-widget-text-editor\" data-id=\"d44072a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n<\/p><p class=\"MsoNormal\" style=\"margin-bottom:0cm;line-height:normal\"><span style=\"mso-ascii-font-family:Calibri;mso-fareast-font-family:&quot;Times New Roman&quot;;\nmso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri;color:black;\nmso-ansi-language:#0C00;mso-fareast-language:EN-GB\">Dmitriy Komashinskiy is\nLead Researcher at WithSecure Tactical Defense unit and focuses currently on\nthe core analytics functionality of WithSecure\u2019s attack detection and response\nservices. Before joining WithSecure, Dmitriy worked in several companies in the\ninformation security area as well as at the Computer Security Laboratory of\nSaint-Petersburg Institute for Informatics and Automation, from where he\nreceived PhD degree in Information Security. He authored a number of papers and\npatents in the cybersecurity domain.<\/span><\/p>\n\n<p class=\"MsoNormal\" style=\"margin-bottom:0cm;line-height:normal\"><span style=\"mso-ascii-font-family:Calibri;mso-fareast-font-family:&quot;Times New Roman&quot;;\nmso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri;color:black;\nmso-ansi-language:#0C00;mso-fareast-language:EN-GB\">&nbsp;<\/span><\/p>\n\n<p class=\"MsoNormal\" style=\"margin-bottom:0cm;line-height:normal\"><span style=\"mso-ascii-font-family:Calibri;mso-fareast-font-family:&quot;Times New Roman&quot;;\nmso-hansi-font-family:Calibri;mso-bidi-font-family:Calibri;color:black;\nmso-ansi-language:#0C00;mso-fareast-language:EN-GB\">Andrew\nPatel&nbsp;is&nbsp;an artificial intelligence&nbsp;researcher&nbsp;at\nWithSecure. His areas of specialty include&nbsp;social\nnetwork&nbsp;and&nbsp;disinformation analysis,&nbsp;graph analysis and\nvisualization methods, reinforcement learning, natural language processing, and\nartificial life.&nbsp;Andrew is a key contributor to the AI section of the\nWithSecure blog.<\/span><\/p>\n\n<p class=\"MsoNormal\" style=\"text-align:justify\"><span style=\"font-size:12.0pt;\nline-height:107%;mso-ansi-language:#0C00\">&nbsp;<\/span><\/p>\n\n\n\n\n\n<p><style>@font-face\n\t{font-family:\"Cambria Math\";\n\tpanose-1:2 4 5 3 5 4 6 3 2 4;\n\tmso-font-charset:0;\n\tmso-generic-font-family:roman;\n\tmso-font-pitch:variable;\n\tmso-font-signature:3 0 0 0 1 0;}@font-face\n\t{font-family:Calibri;\n\tpanose-1:2 15 5 2 2 2 4 3 2 4;\n\tmso-font-charset:0;\n\tmso-generic-font-family:swiss;\n\tmso-font-pitch:variable;\n\tmso-font-signature:-469750017 -1073732485 9 0 511 0;}p.MsoNormal, li.MsoNormal, div.MsoNormal\n\t{mso-style-unhide:no;\n\tmso-style-qformat:yes;\n\tmso-style-parent:\"\";\n\tmargin-top:0cm;\n\tmargin-right:0cm;\n\tmargin-bottom:8.0pt;\n\tmargin-left:0cm;\n\tline-height:107%;\n\tmso-pagination:widow-orphan;\n\tfont-size:11.0pt;\n\tfont-family:\"Calibri\",sans-serif;\n\tmso-ascii-font-family:Calibri;\n\tmso-ascii-theme-font:minor-latin;\n\tmso-fareast-font-family:Calibri;\n\tmso-fareast-theme-font:minor-latin;\n\tmso-hansi-font-family:Calibri;\n\tmso-hansi-theme-font:minor-latin;\n\tmso-bidi-font-family:Arial;\n\tmso-bidi-theme-font:minor-bidi;\n\tmso-ansi-language:EN-US;\n\tmso-fareast-language:EN-US;}.MsoChpDefault\n\t{mso-style-type:export-only;\n\tmso-default-props:yes;\n\tfont-size:11.0pt;\n\tmso-ansi-font-size:11.0pt;\n\tmso-bidi-font-size:11.0pt;\n\tfont-family:\"Calibri\",sans-serif;\n\tmso-ascii-font-family:Calibri;\n\tmso-ascii-theme-font:minor-latin;\n\tmso-fareast-font-family:Calibri;\n\tmso-fareast-theme-font:minor-latin;\n\tmso-hansi-font-family:Calibri;\n\tmso-hansi-theme-font:minor-latin;\n\tmso-bidi-font-family:Arial;\n\tmso-bidi-theme-font:minor-bidi;\n\tmso-ansi-language:EN-US;\n\tmso-fareast-language:EN-US;}.MsoPapDefault\n\t{mso-style-type:export-only;\n\tmargin-bottom:8.0pt;\n\tline-height:107%;}div.WordSection1\n\t{page:WordSection1;}<\/style><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Dmitriy Komashinskiy and Andrew Patel (WithSecure) In SAPPAN, we have developed several models for detecting anomalous events in endpoints. For example, we have built a model for identifying anomalous process launch events and a model for identifying anomalous \u201cmodule load\u201d operations. In order to increase the reliability of detections reported by the models and to&hellip;<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[17],"tags":[],"coauthors":[],"class_list":["post-1699","post","type-post","status-publish","format-standard","hentry","category-blog-post"],"_links":{"self":[{"href":"https:\/\/sappan-project.eu\/index.php?rest_route=\/wp\/v2\/posts\/1699","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sappan-project.eu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sappan-project.eu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sappan-project.eu\/index.php?rest_route=\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/sappan-project.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1699"}],"version-history":[{"count":21,"href":"https:\/\/sappan-project.eu\/index.php?rest_route=\/wp\/v2\/posts\/1699\/revisions"}],"predecessor-version":[{"id":1730,"href":"https:\/\/sappan-project.eu\/index.php?rest_route=\/wp\/v2\/posts\/1699\/revisions\/1730"}],"wp:attachment":[{"href":"https:\/\/sappan-project.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1699"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sappan-project.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1699"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sappan-project.eu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1699"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/sappan-project.eu\/index.php?rest_route=%2Fwp%2Fv2%2Fcoauthors&post=1699"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}