{"title":"从污染图自动多步签名派生","authors":"M. Ussath, Feng Cheng, C. Meinel","doi":"10.1109/SSCI.2016.7850076","DOIUrl":null,"url":null,"abstract":"An increasing number of attacks use advanced tactics, techniques and methods to compromise target systems and environments. Such multi-step attacks are often able to bypass existing prevention and detection systems, such as Intrusion Detection Systems (IDSs), firewalls and anti-virus solutions. These security systems either use an anomaly-based or a signature-based detection approach. For systems that utilize a signature-based approach, it is relevant to use precise detection signatures to identify attacks. The creation of signatures is often complex and time consuming, especially for multi-step attacks. In this paper, we propose a signature derivation approach that automatically creates multi-step detection signatures from taint graphs. The approach uses the recorded log events of an attack and the event attribute tainting approach to correlate the events and to create a taint graph. This graph, which provides comprehensive details about the attack, is then used to derive a precise multi-step detection signature. Therewith, this approach can reduce the needed time to create a multi-step signature as well as the complexity of this process. For the evaluation of the proposed approach, we simulated a multi-step attack with real world attack tools and methods. Based on the recorded log events and the implemented signature derivation system we automatically derived a multi-step detection signature that describes all relevant events and their relations.","PeriodicalId":120288,"journal":{"name":"2016 IEEE Symposium Series on Computational Intelligence (SSCI)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2016-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":"{\"title\":\"Automatic multi-step signature derivation from taint graphs\",\"authors\":\"M. Ussath, Feng Cheng, C. Meinel\",\"doi\":\"10.1109/SSCI.2016.7850076\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"An increasing number of attacks use advanced tactics, techniques and methods to compromise target systems and environments. Such multi-step attacks are often able to bypass existing prevention and detection systems, such as Intrusion Detection Systems (IDSs), firewalls and anti-virus solutions. These security systems either use an anomaly-based or a signature-based detection approach. For systems that utilize a signature-based approach, it is relevant to use precise detection signatures to identify attacks. The creation of signatures is often complex and time consuming, especially for multi-step attacks. In this paper, we propose a signature derivation approach that automatically creates multi-step detection signatures from taint graphs. The approach uses the recorded log events of an attack and the event attribute tainting approach to correlate the events and to create a taint graph. This graph, which provides comprehensive details about the attack, is then used to derive a precise multi-step detection signature. Therewith, this approach can reduce the needed time to create a multi-step signature as well as the complexity of this process. For the evaluation of the proposed approach, we simulated a multi-step attack with real world attack tools and methods. Based on the recorded log events and the implemented signature derivation system we automatically derived a multi-step detection signature that describes all relevant events and their relations.\",\"PeriodicalId\":120288,\"journal\":{\"name\":\"2016 IEEE Symposium Series on Computational Intelligence (SSCI)\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-12-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"6\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2016 IEEE Symposium Series on Computational Intelligence (SSCI)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/SSCI.2016.7850076\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 IEEE Symposium Series on Computational Intelligence (SSCI)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SSCI.2016.7850076","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Automatic multi-step signature derivation from taint graphs
An increasing number of attacks use advanced tactics, techniques and methods to compromise target systems and environments. Such multi-step attacks are often able to bypass existing prevention and detection systems, such as Intrusion Detection Systems (IDSs), firewalls and anti-virus solutions. These security systems either use an anomaly-based or a signature-based detection approach. For systems that utilize a signature-based approach, it is relevant to use precise detection signatures to identify attacks. The creation of signatures is often complex and time consuming, especially for multi-step attacks. In this paper, we propose a signature derivation approach that automatically creates multi-step detection signatures from taint graphs. The approach uses the recorded log events of an attack and the event attribute tainting approach to correlate the events and to create a taint graph. This graph, which provides comprehensive details about the attack, is then used to derive a precise multi-step detection signature. Therewith, this approach can reduce the needed time to create a multi-step signature as well as the complexity of this process. For the evaluation of the proposed approach, we simulated a multi-step attack with real world attack tools and methods. Based on the recorded log events and the implemented signature derivation system we automatically derived a multi-step detection signature that describes all relevant events and their relations.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
