University of Twente Student Theses

Login
This website will be unavailable due to maintenance December 1st between 8:00 and 12:00 CET.

Behavioral Threat Detection : detecting Living of Land Techniques

Rai, Shubham (2020) Behavioral Threat Detection : detecting Living of Land Techniques.

[img] PDF
1MB
Abstract:Recent antivirus and machine learning-based malware detection have all increased their effectiveness in detecting file-based attacks, consequently adversaries have migrated to “living off the land” (Lotl) techniques to bypass the advanced security detection. The adversaries practice this by executing system tools preinstalled within the operating system or commonly brought in by administrators to carry out tasks like automating IT administrative tasks, running scripts for operations, executing code on remote systems, and much more such tasks, which goes undetected by even advanced signature detection based systems. In this thesis work, we aim to automate the task of rule generations and propose a novel detection method that can effectively capture anomalous parent-child behavior of the system processes. The first task for this work would be to look at an event as parent-child relationship instead of looking at single events and finding anomalous patters therein, thus enabling us to analyze Lotl techniques used by attackers. The detection system is supposed to create rules and statistics for detection, based on the parent-child process relationships, which in other case is extremely hard to filter manually (writing rules) and no matter how effective is the detector, its logic can only solve one specific attack. A failure of detectors to generalize and detect emergent attacks presents a unique opportunity for machine learning, explored in this thesis.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Link to this item:https://purl.utwente.nl/essays/83610
Export this item as:BibTeX
EndNote
HTML Citation
Reference Manager

 

Repository Staff Only: item control page