Detecting Internal Reconnaissance Behavior Through Classification of Command Collections

2023 IEEE International Conference on Cyber Security and Resilience (CSR) Pub Date : 2023-07-31 DOI:10.1109/CSR57506.2023.10224951

Luke Vandenberghe, H. M. Koduvely, Maria Pospelova

{"title":"Detecting Internal Reconnaissance Behavior Through Classification of Command Collections","authors":"Luke Vandenberghe, H. M. Koduvely, Maria Pospelova","doi":"10.1109/CSR57506.2023.10224951","DOIUrl":null,"url":null,"abstract":"Internal reconnaissance is the adversarial mechanism of obtaining information about an infiltrated system or network. A common method used by the adversary to acquire this information is through the execution command-line utilities. Presently, only rule-based techniques have been operationalized to directly detect this internal reconnaissance behavior. There is significant overlap between the commands entered by adversaries for this task and commands frequently issued by typical users for legitimate tasks. Deterministic detection approaches have difficulties distinguishing between internal reconnaissance and legitimate command-line behavior that fall in this overlap, resulting in high false positives rates. To more effectively distinguish the internal reconnaissance a behavior, stochastic techniques can be employed. This paper proposes a machine learning approach to detect internal reconnaissance through binary classification of command collections. It considers two learning methods namely latent Dirichlet allocation (LDA) and long short-term memory (LSTM) and shows that both outperforms state of the art methods.","PeriodicalId":354918,"journal":{"name":"2023 IEEE International Conference on Cyber Security and Resilience (CSR)","volume":"2 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-07-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 IEEE International Conference on Cyber Security and Resilience (CSR)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CSR57506.2023.10224951","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Internal reconnaissance is the adversarial mechanism of obtaining information about an infiltrated system or network. A common method used by the adversary to acquire this information is through the execution command-line utilities. Presently, only rule-based techniques have been operationalized to directly detect this internal reconnaissance behavior. There is significant overlap between the commands entered by adversaries for this task and commands frequently issued by typical users for legitimate tasks. Deterministic detection approaches have difficulties distinguishing between internal reconnaissance and legitimate command-line behavior that fall in this overlap, resulting in high false positives rates. To more effectively distinguish the internal reconnaissance a behavior, stochastic techniques can be employed. This paper proposes a machine learning approach to detect internal reconnaissance through binary classification of command collections. It considers two learning methods namely latent Dirichlet allocation (LDA) and long short-term memory (LSTM) and shows that both outperforms state of the art methods.

查看原文本刊更多论文

通过命令集合分类检测内部侦察行为

内部侦察是一种获取渗透系统或网络信息的对抗机制。攻击者获取此信息的常用方法是通过执行命令行实用程序。目前，只有基于规则的技术可以直接检测这种内部侦察行为。攻击者为该任务输入的命令与典型用户为合法任务经常发出的命令之间存在明显的重叠。确定性检测方法很难区分内部侦察和属于这种重叠的合法命令行行为，从而导致高误报率。为了更有效地区分内部侦察行为，可以采用随机技术。本文提出了一种机器学习方法，通过命令集合的二进制分类来检测内部侦察。它考虑了两种学习方法，即潜狄利克雷分配(LDA)和长短期记忆(LSTM)，并表明两者都优于最先进的方法。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2023 IEEE International Conference on Cyber Security and Resilience (CSR)

自引率

0.00%

发文量