Using endpoints process information for malicious behavior detection

摘要: In the last years impact of malware has become a huge problem. Each year, more and new samples are discovered [2]. And is becoming sophisticated, for example ransomware. Ransomware encrypts personal documents, such as photos word asks money to be able decrypt these files, hence name. Malware not only used financial gain at backs consumers. Sophisticated targeted attacks enterprise uncommon, Sony hack. Although there many security solutions which should protect endpoints, infections still occur. The reason this due with way current work. Most act upon known behavior signatures. However when released signature unknown cannot endpoint against infections. To overcome problem method detection developed. This detect malicious without prior knowledge. scientific literature type called anomaly [26, 38, 57, 58]. Anomaly uses gathered data construct model normal behavior. Any deviation from defined seen an anomaly. At Fox-IT, IT company based in Netherlands, solution developed, clled FoxGuard. ability block allow process activity on set rules. FoxGuard also log very detailed low level information all processes running system. include actions filesystem registry actions. For explanation can gather read section 4.1. master thesis explorative research conducted using by collect. main question answered is: How detecting single endpoint? answer first was use literature, see chapter 2. conclusion study that combined tree representations, large quantities stored compact representation. These representations aid officer graphically analyzing hereby possibly spotting deviations. 3 design requirements developed system analyzed. analysis amount reduced. Not does it prevent chances generating overfitting occurs, reducing reduces need amounts memory, storage, processing power network send. collection preparation discussed 4. We have collected four clean datasets, complete dataset contains one bootcycle, five datasets. generatethe following used: banking malware, Remote Access Trojan sample Zeus. aggregated, dataframe remains containing per number times triggered activities: filesystem, registry, create, thread object callback module load. Furthermore contained unique id parent process. As difference between activities were normalized 0 10, becomes comparable each other. A k-means clustering algorithm applied assign every cluster likewise processes. aggregated processed generate trees, 5.1 heatmaps, 5.3. two tools provide graphical representation heatmap easily spot high second compared other deviations spotted top part tree, providing proof expert level. nodes present computer usage day, finding lower levels proofed difficult. Analyzing trees sets again help rat clearly visible tree. Further showed ran could found same Chapter 6 explains three algorithms calculate distances set. calculated distance marking or benign. marked if above threshold value. values we mean 75%, 80%, 85%, 90% 95% quantile. All test True Postive Rate, False Negative Rate Accuracy calculated. outcome experiments shown 7. figure 1 Positive shown. partly detect. highest rate gained 0.917 malware. paired positive Rate. Zeus 8 recommendations presented. short-coming done. By different machines differences executable noticeable. had do fact differs. future experiment repeated collecting machine. shortcoming its effects proposed least out types. us that, although limited, detected.