Laccolith:基于管理程序的对手仿真与反检测

arXiv - CS - Operating Systems Pub Date : 2023-11-14 DOI:arxiv-2311.08274

Vittorio Orbinato, Marco Carlo Feliciano, Domenico Cotroneo, Roberto Natella

{"title":"Laccolith:基于管理程序的对手仿真与反检测","authors":"Vittorio Orbinato, Marco Carlo Feliciano, Domenico Cotroneo, Roberto Natella","doi":"arxiv-2311.08274","DOIUrl":null,"url":null,"abstract":"Advanced Persistent Threats (APTs) represent the most threatening form of\nattack nowadays since they can stay undetected for a long time. Adversary\nemulation is a proactive approach for preparing against these attacks. However,\nadversary emulation tools lack the anti-detection abilities of APTs. We\nintroduce Laccolith, a hypervisor-based solution for adversary emulation with\nanti-detection to fill this gap. We also present an experimental study to\ncompare Laccolith with MITRE CALDERA, a state-of-the-art solution for adversary\nemulation, against five popular anti-virus products. We found that CALDERA\ncannot evade detection, limiting the realism of emulated attacks, even when\ncombined with a state-of-the-art anti-detection framework. Our experiments show\nthat Laccolith can hide its activities from all the tested anti-virus products,\nthus making it suitable for realistic emulations.","PeriodicalId":501333,"journal":{"name":"arXiv - CS - Operating Systems","volume":"154 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2023-11-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Laccolith: Hypervisor-Based Adversary Emulation with Anti-Detection\",\"authors\":\"Vittorio Orbinato, Marco Carlo Feliciano, Domenico Cotroneo, Roberto Natella\",\"doi\":\"arxiv-2311.08274\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Advanced Persistent Threats (APTs) represent the most threatening form of\\nattack nowadays since they can stay undetected for a long time. Adversary\\nemulation is a proactive approach for preparing against these attacks. However,\\nadversary emulation tools lack the anti-detection abilities of APTs. We\\nintroduce Laccolith, a hypervisor-based solution for adversary emulation with\\nanti-detection to fill this gap. We also present an experimental study to\\ncompare Laccolith with MITRE CALDERA, a state-of-the-art solution for adversary\\nemulation, against five popular anti-virus products. We found that CALDERA\\ncannot evade detection, limiting the realism of emulated attacks, even when\\ncombined with a state-of-the-art anti-detection framework. Our experiments show\\nthat Laccolith can hide its activities from all the tested anti-virus products,\\nthus making it suitable for realistic emulations.\",\"PeriodicalId\":501333,\"journal\":{\"name\":\"arXiv - CS - Operating Systems\",\"volume\":\"154 1\",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-11-14\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"arXiv - CS - Operating Systems\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/arxiv-2311.08274\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Operating Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2311.08274","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

摘要

高级持续性威胁(apt)是当今最具威胁性的攻击形式，因为它们可以在很长一段时间内不被发现。对手模拟是针对这些攻击进行准备的主动方法。然而，对手模拟工具缺乏apt的反检测能力。我们引入Laccolith，这是一种基于管理程序的解决方案，用于对手模拟和反检测，以填补这一空白。我们还提出了一项实验研究，将Laccolith与MITRE CALDERA(对抗仿真的最先进解决方案)与五种流行的杀毒产品进行比较。我们发现，即使与最先进的反检测框架相结合，caldera也无法逃避检测，从而限制了模拟攻击的真实性。我们的实验表明，Laccolith可以对所有被测试的杀毒产品隐藏其活性，从而使其适合于真实的模拟。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Laccolith: Hypervisor-Based Adversary Emulation with Anti-Detection

Advanced Persistent Threats (APTs) represent the most threatening form of attack nowadays since they can stay undetected for a long time. Adversary emulation is a proactive approach for preparing against these attacks. However, adversary emulation tools lack the anti-detection abilities of APTs. We introduce Laccolith, a hypervisor-based solution for adversary emulation with anti-detection to fill this gap. We also present an experimental study to compare Laccolith with MITRE CALDERA, a state-of-the-art solution for adversary emulation, against five popular anti-virus products. We found that CALDERA cannot evade detection, limiting the realism of emulated attacks, even when combined with a state-of-the-art anti-detection framework. Our experiments show that Laccolith can hide its activities from all the tested anti-virus products, thus making it suitable for realistic emulations.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

arXiv - CS - Operating Systems

自引率

0.00%

发文量