Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
102 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

You Cannot Escape Me: Detecting Evasions of SIEM Rules in Enterprise Networks (2311.10197v2)

Published 16 Nov 2023 in cs.CR

Abstract: Cyberattacks have grown into a major risk for organizations, with common consequences being data theft, sabotage, and extortion. Since preventive measures do not suffice to repel attacks, timely detection of successful intruders is crucial to stop them from reaching their final goals. For this purpose, many organizations utilize Security Information and Event Management (SIEM) systems to centrally collect security-related events and scan them for attack indicators using expert-written detection rules. However, as we show by analyzing a set of widespread SIEM detection rules, adversaries can evade almost half of them easily, allowing them to perform common malicious actions within an enterprise network without being detected. To remedy these critical detection blind spots, we propose the idea of adaptive misuse detection, which utilizes machine learning to compare incoming events to SIEM rules on the one hand and known-benign events on the other hand to discover successful evasions. Based on this idea, we present AMIDES, an open-source proof-of-concept adaptive misuse detection system. Using four weeks of SIEM events from a large enterprise network and more than 500 hand-crafted evasions, we show that AMIDES successfully detects a majority of these evasions without any false alerts. In addition, AMIDES eases alert analysis by assessing which rules were evaded. Its computational efficiency qualifies AMIDES for real-world operation and hence enables organizations to significantly reduce detection blind spots with moderate effort.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (66)
  1. 99% false positives: A qualitative study of SOC analysts’ perspectives on security alarms. In USENIX Security, 2022.
  2. ATLAS: A sequence-based learning approach for attack investigation. In USENIX Security, 2021.
  3. AMIDES contributors. AMIDES – An Adaptive Misuse Detection System – GitHub, 2023. https://github.com/fkie-cad/amides.
  4. Dos and don’ts of machine learning in computer security. In USENIX Security, 2022.
  5. A comprehensive review on malware detection approaches. IEEE Access, 2020.
  6. Australian Cyber Security Centre. Windows event logging and forwarding. https://www.cyber.gov.au/sites/default/files/2023-03/PROTECT-WindowsEventLoggingandForwarding(October2021).pdf.
  7. Stefan Axelsson. The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security, 2000.
  8. Thomas Felix Barabosch. Formalization and Detection of Host-Based Code Injection Attacks in the Context of Malware. PhD thesis, Universität Bonn, 2018.
  9. The operational role of security information and event management systems. IEEE Security & Privacy, 12(5):35–41, 2014.
  10. Bitkom e.V. German businesses under attack: losses of more than 220 billion euros per year, 2021. https://www.bitkom.org/EN/List-and-detailpages/Press/German-business-losses-more-than-220-billion-euros-per-year.
  11. Daniel Bohannon. DOSfuscation: Exploring the depths of cmd.exe obfuscation and detection techniques. Technical report, FireEye, 2019. https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf.
  12. Revoke-Obfuscation: PowerShell obfuscation detection using science. Blackhat USA, 2017.
  13. How do information security workers use host data? A summary of interviews with security analysts, 2018. https://arxiv.org/abs/1812.02867.
  14. Lens on the endpoint: Hunting for malicious software through endpoint data analysis. In RAID, 2017.
  15. Evasion techniques: Sneaking through your intrusion detection/prevention systems. IEEE Communications Surveys & Tutorials, 2012.
  16. The advantages of the Matthews correlation coefficient (MCC) over F1 score and accuracy in binary classification evaluation. BMC Genomics, 2020.
  17. Support-vector networks. Machine Learning, 1995.
  18. Common and best practices for security operations centers: Results of the 2019 SOC survey, 2019. https://www.sans.org/white-papers/39060/.
  19. Dorothy E. Denning. An intrusion-detection model. IEEE Transactions on Software Engineering, 1987.
  20. Cybersecurity – Attack and Defense Strategies. Packt Publishing, 2018.
  21. Enhancing the accuracy of network-based intrusion detection with host-based context. In DIMVA, 2005.
  22. David Endler. Intrusion detection – applying machine learning to Solaris audit data. In ACSAC, 1998.
  23. Challenging the anomaly detection paradigm: A provocative discussion. In Workshop on New Security Paradigms, 2006.
  24. Tactical provenance analysis for endpoint detection and response systems. In IEEE S&P, 2020.
  25. NoDoze: Combatting threat alert fatigue with automated provenance triage. NDSS, 2019.
  26. Solarwinds hack was ’largest and most sophisticated attack’ ever: Microsoft president, 2021. https://reut.rs/3b5ojqL.
  27. Hiscox Ltd. Cyber readiness report 2022, 2022. https://www.hiscoxgroup.com/sites/group/files/documents/2022-05/22054-HiscoxCyberReadinessReport2022-EN_0.pdf.
  28. Hopper: Modeling and detecting lateral movement. In USENIX Security, 2021.
  29. Thorsten Joachims. Text categorization with support vector machines: Learning with many relevant features. In European Conference on Machine Learning, 1998.
  30. Revolver: An automated approach to the detection of evasive web-based malware. In USENIX Security, 2013.
  31. The antivirus hacker’s handbook. John Wiley & Sons, 2015.
  32. A false sense of security? Revisiting the state of machine learning-based industrial intrusion detection. In ACM Cyber-Physical System Security Workshop (CPSS), 2022.
  33. John Lambert. The Githubification of InfoSec, 2019. https://medium.com/@johnlatwc/the-githubification-of-infosec-afbdbfaad1d1.
  34. A data mining framework for building intrusion detection models. In IEEE S&P, 1999.
  35. Experimental study of fuzzy hashing in malware clustering analysis. In Workshop on Cyber Security Experimentation and Test (CSET), 2015.
  36. Threat detection and investigation with system-level provenance graphs: A survey. Computers & Security, 2021.
  37. Logprep contributors. Logprep – Log Data Preprocessing in Python – GitHub, 2023. https://github.com/fkie-cad/Logprep.
  38. Nate Lord. Cyber security investments: Experts discuss detection vs. prevention, 2020. https://digitalguardian.com/blog/cyber-security-investments.
  39. Distributed representations of words and phrases and their compositionality. In Neural Information Processing Systems (NeurIPS), 2013.
  40. Living-off-the-land command detection using active learning. In RAID, 2021.
  41. opensourcesecurityindex.io. Open source security index, 2022. https://opensourcesecurityindex.io/.
  42. Performance assessment of supervised classifiers for designing intrusion detection systems: A comprehensive review and recommendations for future research. Mathematics, 2021.
  43. Hercule: Attack story reconstruction via community discovery on correlated log graph. In ACSAC, 2016.
  44. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, Secure Networks, 1998.
  45. Smoke detector: Cross-product intrusion detection with weak indicators. In ACSAC, 2017.
  46. Sysmon v14.13, 2022. https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon.
  47. Guide to intrusion detection and prevention systems. Technical report, National Institute of Standards and Technology, 2007.
  48. scikit-learn contributors. Choosing the right estimator, 2023. https://scikit-learn.org/1.3/tutorial/machine_learning_map/.
  49. scikit-learn contributors. Tf–idf term weighting, 2023. https://scikit-learn.org/1.3/modules/feature_extraction.html.
  50. Improving file-level fuzzy hashes for malware variant classification. Digital Investigation, 2019.
  51. Sigma contributors. Sigma – Generic Signature Format for SIEM Systems – GitHub, 2023. https://github.com/SigmaHQ/sigma/.
  52. RNNIDS: Enhancing network intrusion detection systems through deep learning. Computers & Security, 2021.
  53. Outside the closed world: On using machine learning for network intrusion detection. In IEEE S&P, 2010.
  54. SVMs modeling for highly imbalanced classification. IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics), 2009.
  55. Reproducible and adaptable log data generation for sound cybersecurity experiments. In ACSAC, 2021.
  56. Ultimate IT Security. Sysmon Event ID 1: Process creation. https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90001.
  57. Ultimate IT Security. Sysmon Event ID 4688: A new process has been created. https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4688.
  58. Detecting evasion attacks at high speeds without reassembly. ACM SIGCOMM Computer Communication Review, 2006.
  59. AI22{}^{2}start_FLOATSUPERSCRIPT 2 end_FLOATSUPERSCRIPT: Training a big data machine to defend. In IEEE Big Data Security on Cloud, 2016.
  60. Verizon. 2022 Data Breach Investigations Report, 2022. https://www.verizon.com/business/resources/reports/2022/dbir/2022-data-breach-investigations-report-dbir.pdf.
  61. Security operations center: A systematic study and open challenges. IEEE Access, 2020.
  62. Mimicry attacks on host-based intrusion detection systems. In ACM CCS, 2002.
  63. Wikipedia contributors. List of security hacking incidents, 2022. https://wikipedia.org/wiki/List_of_security_hacking_incidents?oldid=1116531118.
  64. IPAL: Breaking up silos of protocol-dependent and domain-specific industrial intrusion detection systems. In RAID, 2022.
  65. Beehive: Large-scale log analysis for detecting suspicious activity in enterprise networks. In ACSAC, 2013.
  66. ALchemist: Fusing application and audit logs for precise attack provenance without instrumentation. In NDSS, 2021.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (5)
  1. Rafael Uetz (4 papers)
  2. Marco Herzog (2 papers)
  3. Louis Hackländer (2 papers)
  4. Simon Schwarz (5 papers)
  5. Martin Henze (58 papers)
Citations (2)
View on Semantic Scholar
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets