Automatic multi-step signature derivation from taint graphs

Abstract

An increasing number of attacks use advanced tactics, techniques and methods to compromise target systems and environments. Such multi-step attacks are often able to bypass existing prevention and detection systems, such as Intrusion Detection Systems (IDSs), firewalls and anti-virus solutions. These security systems either use an anomaly-based or a signature-based detection approach. For systems that utilize a signature-based approach, it is relevant to use precise detection signatures to identify attacks. The creation of signatures is often complex and time consuming, especially for multi-step attacks. In this paper, we propose a signature derivation approach that automatically creates multi-step detection signatures from taint graphs. The approach uses the recorded log events of an attack and the event attribute tainting approach to correlate the events and to create a taint graph. This graph, which provides comprehensive details about the attack, is then used to derive a precise multi-step detection signature. Therewith, this approach can reduce the needed time to create a multi-step signature as well as the complexity of this process. For the evaluation of the proposed approach, we simulated a multi-step attack with real world attack tools and methods. Based on the recorded log events and the implemented signature derivation system we automatically derived a multi-step detection signature that describes all relevant events and their relations.