JP6557774B2 - Graph-based intrusion detection using process trace - Google Patents

Description

  This application claims priority from US patent application serial number 62/148232 filed on April 16, 2015, US patent continuation application 15 filed on April 14, 2016. No./098861. In addition, this application is based on U.S. Patent Application No. 62/196404 filed July 24, 2015, and U.S. Patent Application No. 62/360572 filed Jul. 11, 2016. And the entire disclosure is incorporated herein.

  The present invention relates to computer and information security, and more particularly to host level intrusion detection with large process traces.

  Enterprise networks are highly demanding systems in the enterprise and deal with most of mission critical information. Because of their importance, these networks are often the target of attacks. In order to ensure information security in a computer network, an intrusion detection system needs to monitor the operational status of the entire network and identify scenarios associated with possible attacks or malicious behavior.

  At the host level, the detection system collects a wealth of information regarding process / program events on a particular host or machine (eg, when a program opens a file). This information allows intrusion detection systems to accurately monitor intrusion behavior, but signature-based detection techniques can no longer detect new threats, and anomaly-based detection techniques focus on detecting a single anomalous process. Or an off-line model constructed from training data with purely normal events is required.

  Above all, intrusion detection systems often rely on simultaneous or series of actions, rather than independent actions, of various system events to determine what state a given system is in . In general, this system monitoring data is a low-level process event with an accurate time stamp, or various system entities such as processes, files and sockets (eg, when a program opens a file or connects to a server) Composed of interactions between, intrusion attempts are usually higher level actions involving multiple different process events. For example, a network attack called an Advanced Persistent Threat (APT) consists of a set of computer hacking processes that continue with stealthy. APT first seeks to gain a foothold in the environment. Subsequently, APT deploys additional tools that help a virus-infected system be used to access the target network to achieve the attack objective. The gap that exists between the level of process events and the level of intrusive behavior, which process events are actually malicious, especially considering that there are a large number of "noisy" process events that occur between them Make it difficult to infer whether it is related to behavior. Thus, conventional attack detection techniques that determine individual suspicious process events are insufficient to address this scenario.

  A method for detecting malicious processes includes modeling system data as a graph having vertices representing system entities and edges representing events between the respective system entities. Each side comprises one or more time stamps corresponding to respective events between the two system entities. A set of valid path patterns associated with possible attacks is generated. One or more event sequences in the system are determined to be suspicious based on the graph and valid path patterns using a random walk on the graph.

  A system for detecting malicious processes includes a modeling module configured to model system data as a graph having vertices representing system entities and edges representing events between the respective system entities. Each side includes one or more time stamps corresponding to respective events between the two system entities. The malicious process path discovery module generates a set of valid path patterns related to a possible attack and uses a random walk on the graph to determine one or more in the system based on the graph and the valid path pattern. A processor is configured to determine that the event sequence is suspicious.

  These and other features and advantages of the present invention will become apparent to those of ordinary skill in the art by reference to the following detailed description and the accompanying drawings.

  In the present disclosure, as will be described later, preferred embodiments will be described in detail with reference to the following drawings.

FIG. 1 is a diagram of a network graph representing node communities and roles according to the present principles.

FIG. 2 is a block / flow diagram of a method for detecting community and role membership and detecting anomalies in accordance with the present principles.

FIG. 3 is a block diagram of a host level analysis module according to the present principles.

FIG. 4 is a block / flow diagram of a method for detecting a suspicious host level event sequence in accordance with the present principles.

FIG. 5 is a pseudo-code segment for detecting suspicious host-level event sequences in accordance with the present principles.

FIG. 6 is a block diagram of a processing system according to the present principles.

  According to this principle, the present embodiment provides the discovery of malicious process paths by detecting abnormal process paths related to intrusion behavior. This is achieved by using a process trace. A set of valid sequence patterns is generated and a random walk-based process is used to learn system functions and find suspicious process sequences. In order to remove the score bias from the path length, a Box-Cox power transformation is applied to normalize the anomaly score of the process sequence.

  Thus, the present embodiment provides complete evidence of an attacker's behavior trace (ie, process path) after an attack occurs. Furthermore, the present embodiment more accurately detects malicious process paths, and reduces the number of false positives and missed detections in less time and with less computational complexity. A compact graph structure may be used to reduce the memory load, a set of effective sequence patterns may be generated and used to reduce the search space, and a random walk method is used to reduce the calculation cost. It may be used. Furthermore, since this embodiment does not require training data, a new attack can be detected.

  Referring now in detail to the drawings in which like numerals represent the same or similar elements, first of all, FIG. 1 illustrates an Automatic Security Intelligence (ASI) architecture. The ASI system includes three main components. That is, the agent 10 is installed on each machine in the corporate network in order to collect operation data, the back-end server 200 receives data from the agent 10, preprocesses the data, and analyzes the preprocessed data with the analysis server 30. The analysis server 30 executes the security application program and analyzes the data.

  Each agent 10 includes an agent manager 11, agent update data 12, and agent data 13. The agent data 13 may include information regarding active processes, file access, net sockets, the number of instructions per cycle, and host information. The back-end server 20 includes an agent updater server 21 and a monitoring data storage device. Analysis server 30 includes intrusion detection 31, security policy compliance assessment 32, incident backtrack and system recovery 33, and centralized threat search and query 34.

  Referring now to FIG. 2, further details regarding intrusion detection 31 are shown in FIG. There are five modules in the intrusion detection engine. In other words, the intrusion detection engine receives data from the backend server 20 and processes the network communication (including TCP and UDP) with the data distributor 41 that distributes the corresponding data to the network level module 42 and the host level module 43. A network analysis module 42 for detecting abnormal communication events, a host level analysis module 43 for processing host level events including user-to-process events, process-to-file events, and user-to-registry events, network level anomalies and host levels An anomaly fusion module 44 that integrates anomalies and refines those results into reliable intrusion events, and a visualization module 45 that outputs the detection results to the end user.

  Referring now to FIG. 3, further details regarding the host level analysis module 43 are shown. The host level analysis module 43 includes a hardware processor 312 and a memory 314. Further, the host level analysis module 43 includes one or more functional modules stored in the memory 314 and executed by the hardware processor 312 in one embodiment. In alternative embodiments, the functional modules may be implemented as one or more individual hardware components, for example in the form of an application specific integrated chip or field programmable gate array.

  The host level analysis module 43 includes a plurality of different analysis and detection functions. The process-to-file abnormality detection module 302 receives a host level process-to-file event as an input from the data distributor 41 and finds an abnormal process-to-file event. These events may include, for example, reading or writing to a file. The user-to-process anomaly detection module 304 receives all streaming process events as input from the data distributor 41, models each user's behavior at the process level, and identifies suspicious processes performed by each user. The USB event abnormality detection module 306 examines the streaming process event and identifies all USB device related events in order to detect abnormal device operation. The process signature anomaly detection module 308 receives the process name and signature from the data distributor 41 as input, and detects a process having a suspicious signature. Finally, the malicious process path discovery module 310 receives the current active process from the data distributor 41 as a starting point, and all process paths that are at risk by combining the input event and the previous event in the time window. To monitor. Malicious process path discovery module 310 detects abnormal process sequences / paths as described in more detail below.

  Referring now to FIG. 4, FIG. 4 shows a malicious process path detection method. A blueprint graph is used as input. The blueprint graph is a heterogeneous graph composed of a historical data set of communication in the network. Each node of the blueprint graph represents a physical device of the corporate network, and each side represents a normal communication pattern between the nodes. . Block 402 performs graph modeling using a compact graph structure that captures complex interactions between system entities as an acyclic multipartite graph. Block 404 then generates a set of valid sequence patterns based on the maximum sequence length. The maximum sequence length may be set by the user, or an optimum value may be automatically determined. By forming an effective sequence pattern, the search space size of the graph is significantly reduced.

  Next, block 406 scans the graph to determine candidate event sequences that match the pattern. “Pattern” represents an ordered set of system entity types, whereas “Sequence” represents a specific ordered set of system entities. Thus, the sequence matches the pattern if the order of each type of system entity matches the pattern. The sequence is also referred to herein as a “path”.

  Block 408 applies a random walk to extract the characteristics of every entity. Based on the characteristics of the discovered entity, block 408 calculates an abnormal score for each candidate process and diagnoses how the process is abnormal. Since there are a plurality of different sequence patterns with different lengths, and the scores of two paths with different lengths cannot be directly compared, the abnormal score distribution of each sequence pattern is simply determined at block 410 using, for example, box cox power transformation. Converted to a single distribution. Block 410 measures the deviation between the suspicious sequence and the normal sequence and reports a sequence having a deviation higher than the threshold.

  Aggressive behavior often involves multiple system entities (eg, processes, files, sockets, etc.). Therefore, in this embodiment, an interaction between a plurality of different system entities is incorporated.

  The amount of information provided by system monitoring can be quite large, making it difficult to directly store and access the information to memory. However, the information has a high redundancy. Since each event record contains not only the related entities but also the attributes of those entities, redundancy can be found first in the attributes. It is redundant to store attributes repeatedly for each event. Second, it is redundant to repeatedly save events that occur on the same entity and only change the timestamps between them. Third, it is not necessary to store records that are unrelated to intrusion detection.

Accordingly, a graph model is generated by block 402 by compressing significant information and capturing from monitoring data. The graph model is represented by a directed graph G = (V, E, T). Here, T is a set of time stamps, E⊂V × V × T is a set of edges, and V = F∪P∪U∪S is a set of vertices. F is a set of files resident in the computer system, P is a set of processes, U is a set of UNIX (registered trademark) sockets, and S is a set of Internet sockets. For a specific edge (v _i , v _j ) in E, T (v _i , v _j ) represents a set of time stamps on the edge. If an edge corresponding to each event e already exists in G, the time stamp t is added to the time stamp of the edge. Otherwise, block 402 constructs such an edge in G that contains the set of time stamps T (v _i , v _j ) = {t}. In this structure, unique entity attribute values are stored only once. For each event sequence of length l, there is a corresponding path through G consisting of l edges.

  The natural way to extract the most suspicious path from the graph G is to examine all existing paths. However, it is impractical to enumerate all possible paths from a closely connected graph. To provide guidance for the candidate search at block 406, block 404 generates a set of valid route patterns B. Only routes that match a valid route pattern are associated with possible attacks and others may be discarded.

  Each path pattern B of length l includes l entities and / or entity types. As such, path pattern B may include not only specific entities (eg, specific files), but also common names of entity types in the same path. B is determined to be a valid route pattern only when there is at least a route p in G that matches B. Considering that l can be a small number, it is possible to enumerate all possible paths. By searching the graph G, all effective patterns can be extracted.

で示される。そして、

であるようなＧにおいて、少なくとも１つの経路ｐが存在する場合、Ｂは有効な経路パターンである。上記の制約に続く一例において、上記の４つのエンティティタイプ、すなわち｛Ｆ，Ｆ，ｌ｝、｛Ｆ，Ｐ，ｌ｝、｛Ｆ，Ｕ，ｌ｝及び｛Ｆ，Ｉ，ｌ｝を用いた長さ３から成る４つの可能性がある経路パターンがある。何故なら、プロセスノードだけがファイルノードをインターネットソケットノードに接続できるからである。このようにして、Ｇにおける有効な全てのパターンを発見できる。 The effective path pattern B may be generated by the expert using, for example, the expert's experience from past intrusion detection attacks. However, it can be difficult to obtain an accurate and complete set of valid route patterns from such an expert. Therefore, the route pattern may be automatically generated. Each entity is set as a specific system entity type. All paths corresponding to information leakage must start with the file entity (F) and end with the Internet socket entity (I). Given a path pεG and a path pattern B of G, p [i] and B [i] represent the i-th node in p and B, respectively. Thus, if p and B have the same length and for each l, p [i] εB [i] (ie the specific entity p [i] belongs to the entity type B [i]), the path p matches B,

Indicated by And

In G such that B is a valid route pattern if there is at least one route p. In an example following the above constraints, the above four entity types were used: {F, F, l}, {F, P, l}, {F, U, l} and {F, I, l}. There are four possible path patterns consisting of length 3. This is because only process nodes can connect file nodes to Internet socket nodes. In this way, all valid patterns in G can be found.

で定義される。 Based on the generated valid route pattern B, block 406 searches the multipart graph for routes that satisfy the pattern. Event sequence seq = {e ₁ , e ₂ ,. . . , E _r ), the graph G has an equivalent path p = {v _l , v _{2 ,.} . . , V _{r + 1} }. Since events occur in time order, time order constraints are applied to search for candidate routes. By applying the route pattern and the time order constraint to the breadth first search, the candidate route can be found by the G one-time scan. Candidate route C is

Defined by

  Even with a filtering policy based on route patterns and time order constraints, graph G may still have a large number of candidate routes, most of which are related to normal operation. Therefore, in this embodiment, a suspicious route is extracted from a larger set of candidate routes.

で計算される。ここで、Ｎはエンティティの総数であり、Ｔ（ｖ_ｉ，ｖ_ｊ）はｖ_ｉとｖ_ｊとの間でこれまでに発生したイベントのタイムスタンプの集合である。Ａ［ｉ］［ｊ］は、Ｇにおいてｖ_ｉからｖ_ｊへ情報が流れる確率を意味する。 If the related entities in the path move differently from their normal roles, block 408 determines that the candidate path is suspicious. In a computer system, information senders and receivers are identified as entity roles. The sender and recipient scores are used to set up a profile for normal operation and should be known accurately from the computer system. To achieve this, a random walk is applied to the graph G. From G, the N × N square transition matrix A is

Calculated by Here, N is the total number of entities, and T (v _i , v _j ) is a set of time stamps of events that have occurred so far between v _i and v _j . A [i] [j] means the probability that information will flow from v _i to v _{j in} G.

で表すこともできる。ここで、ゼロはゼロ部分行列を示し、矢印演算子は情報が流れる方向を示す。例えば、Ｐ→Ｆは、プロセスからファイルに対する情報の流れを示している。プロセス間インタラクションはインタラクションフローを備えていないため、Ａの非ゼロ部分行列はプロセスとファイルとの間及びプロセスとソケットとの間のみに現れ、それぞれのプロセス間には現れないことに留意されたい。これらはＵＮＩＸ（登録商標）システムによって設定される制約である。 Since A is a matrix representation of the multipart graph G,

It can also be expressed as Here, zero indicates a zero submatrix, and the arrow operator indicates the direction in which information flows. For example, P → F indicates a flow of information from the process to the file. Note that because non-process interactions do not have an interaction flow, the non-zero submatrix of A appears only between processes and files and between processes and sockets, not between each process. These are constraints set by the UNIX (registered trademark) system.

で示すように繰り返し生成できる。概説するならば、高い受信者スコアを有する、多数のエンティティへ情報を送信するエンティティは、それ自体が重要な情報送信者であり、高い送信者スコアを有する、多数のエンティティから情報を受信するエンティティは、重要な情報受信者である。したがって、エンティティの送信者及び受信者スコアは、エンティティに関連する受信者及び送信者スコアを蓄積することで反復計算される。例えば、ＵＮＩＸ（登録商標）システム上のｆｉｌｅ／ｅｔｃ／ｐａｓｓｗｄは、アクセス許可をチェックするために多くのプロセスに送信されるため、高い送信者スコア及び低い受信者スコアを有するが、めったに変更されることはない。 If X is the sender score vector, X [i] indicates the sender score of v _i , Y is the receiver score vector, initial vectors X ₀ and Y ₀ are randomly generated, and m is the current number of iterations The sender and receiver scores for each entity are

It can be generated repeatedly as shown in. In summary, an entity that sends information to a number of entities with a high recipient score is an important information sender itself, and an entity that receives information from a number of entities with a high sender score. Is an important information recipient. Thus, the entity's sender and receiver scores are iteratively calculated by accumulating the receiver and sender scores associated with the entity. For example, file / etc / passwd on a UNIX system has a high sender score and a low recipient score because it is sent to many processes to check access permissions, but rarely changes There is nothing.

で示すように繰り返し更新できる。十分に大きなｍの値に対してπ_ｍ＋１≒π_ｍであるような収束状態は起こり得る。この場合、収束状態に到達できる１つの固有の値がある。

収束状態は、収束されたベクトルが行列Ｍのみに依存するが、初期ベクトル値π_０からは独立した特性を有する。 In the result of this iterative improvement, the learned score value depends on the initial score value. However, the effect of the initial score value can be removed using the steady state characteristics of the matrix. Given a general square matrix M and a general vector π, the general vector π is

It can be updated repeatedly as shown in. A converging state such that π _{m + 1} ≈π _m can occur for a sufficiently large value of _m . In this case, there is one unique value that can reach the convergence state.

The convergence state has a characteristic independent of the initial vector value π ₀ although the converged vector depends only on the matrix M.

  In order to reach the convergence state, the matrix M needs to satisfy two conditions of irreducibility and aperiodicity. Graph G is irreducible for and only if there are at least one path between any two nodes. The period of a node is the minimum path length from the node back to itself, and the period of the graph is the greatest common divisor of all node period values. Graph G is aperiodic when and only if it is irreducible and the period of G is 1.

であり、Ｎ×Ｎ正方行列である再起動行列（restart matrix）Ｒが追加される。新たな遷移行列

は

で定義される。ここで、ｃは０と１との間の値であり、再起動比と呼ばれる。

は既約であり非周期であることが保証され、収束された送信者スコア及び受信者スコアベクトルをもたらす。収束率は、再起動率の値をコントロールすることで制御できる。収束を確実にするために用いるいくつかの反復に関する１つの例示的な値は約１０である。 Since the system graph G is not necessarily strongly connected, the above iteration does not necessarily reach convergence. To ensure convergence, each cell value is

And a restart matrix R which is an N × N square matrix is added. New transition matrix

Is

Defined by Here, c is a value between 0 and 1 and is called a restart ratio.

Is guaranteed to be irreducible and non-periodic, resulting in a converged sender score and receiver score vector. The convergence rate can be controlled by controlling the restart rate value. One exemplary value for several iterations used to ensure convergence is about 10.

で計算される。 Based on the sender and receiver scores, given a route p, the anomaly score for the route is
Score (p) = 1-NS (p)

Calculated by

で定義できる。ここで、Ｔは正規化関数である。 As mentioned above, the anomaly scores for different length paths have different distributions. Therefore, in order to compare the suspicion of different length paths, a transformation is performed that replaces different length paths with the same conditions. The path anomaly score can have any distribution and is generally not a normal distribution. The suspicion of the route of length r is

Can be defined. Here, T is a normalization function.

である。ここで、λは正規化パラメータである。λに関する異なる値は異なる変換された分布を生じる。目的は、通常の分布（すなわち、Ｔ（Ｂ，λ）〜Ν（μ，σ^２））に可能な限り近い正規化分布が生じるλの値を選択することである。 The top k suspicious paths are those with the highest suspicion scores. Mathematically, a transformation that changes a normal distribution to any other distribution is feasible, but it is difficult to obtain its inverse function. In order to solve this problem, the Box Cox power transformation is used as a normalization function. In particular, if Q (r) is shown as a set of anomaly scores calculated from a path of length r for each score qεQ (r)

It is. Here, λ is a normalization parameter. Different values for λ result in different transformed distributions. The goal is to select the value of λ that yields a normalized distribution that is as close as possible to the normal distribution (ie, T (B, λ) to Ν (μ, σ ² )).

  The top k suspicious paths are not considered related to intrusion attacks unless they are sufficiently discriminatory from the normal path. In order to measure the deviation from the suspicious path from the normal path, a t-value is calculated between the two groups of paths. Since there are many normal paths, an efficient solution based on Monte Carlo simulation is used that calculates expected values and variances from relatively small sample sizes without calculating the sum.

  When a suspicious path is detected, the host level analysis module 43 provides information about the anomaly and generates a report that includes one or more alerts. Anomaly fusion module 44 integrates these host level alerts with other host and network level anomalies and automatically removes false alarms. The resulting list of anomalies is provided to the user via the visualization module 45. In alternative embodiments, obvious anomalies or classes of anomalies may be addressed automatically, for example by deploying security measures or mitigations. In a specific example, the automatic response to the detected abnormality may be shut down until the administrator can inspect the device that exhibits the abnormal operation.

Reference is now made to FIG. 5, which shows pseudo code for finding the top k suspicious paths “SP”. Sender and recipient score vectors X and Y are created using a random walk process. The queue of file F _X is sorted according to descending X, and the queue of file F _Y is sorted descending Y. Similarly, queues for processes P _X and P _Y , queues for UNIX sockets U _X and U _Y , and queues for Internet sockets S _X and S _Y are created. The path is then processed to find a set of paths that match the event sequence pattern and time constraints.

  The embodiments described herein may be implemented in hardware, may be implemented in software, and may include both hardware and software elements. In a preferred embodiment, the present invention can be implemented in software, including but not limited to firmware, resident software, microcode, etc.

  Embodiments include a computer program product that provides program code for use by or in connection with a computer or any instruction execution system, accessible from a computer, or accessible from a computer. May be included. A computer-usable or computer-readable medium includes any device that stores, transmits, propagates, or transmits programs used by or in connection with an instruction execution system, device, or apparatus. May be included. The medium may be a magnetic medium, an optical medium, an electronic medium, an electromagnetic medium, an infrared medium, or a semiconductor system (or apparatus or device), or a propagation medium. Such media may include computer readable media such as semiconductor or solid state memory, magnetic tape, removable computer diskettes, random access memory (RAM), read only memory (ROM), rigid magnetic disks and optical disks. .

  Each computer program is stored on a machine-readable storage medium or device (eg, program memory or magnetic disk) that can be read by a general purpose or special purpose programmable computer. The computer program is for a setting and control operation of the computer that is read from a storage medium or device by a computer that performs the procedures described herein. The system of the present invention also includes a computer readable storage medium including a computer program configured to cause a computer to operate in a specific and predefined manner that performs the functions described herein. Be considered.

  A data processing system suitable for storing and / or executing program code may include at least one processor coupled directly or indirectly to memory elements through a system bus. This memory element contains local memory, bulk storage, and at least some program code used during the actual execution of program code to reduce the number of times code is retrieved from the bulk storage during processing. You may provide the cache memory which memorize | stores temporarily. Input / output or I / O devices (including but not limited to keyboards, displays, pointing devices, etc.) may be connected to the system either directly or through an I / O controller.

  A network adapter may be connected to the system to allow the data processing system to be connected to other data processing systems or remote printers or storage devices via a private or public network. . Modems, cable modems and Ethernet cards are just a handful of the types of network adapters currently available.

  Referring now to FIG. 6, FIG. 6 shows an example of a processing system 600 that can be applied to the analysis server 30, the intrusion detection system 31, and / or the host level analysis module 43. Processing system 600 includes at least one processor (CPU) 604 operatively connected to other components via a system bus 602. The system bus 602 includes a cache 606, a read only memory (ROM) 608, a random access memory (RAM) 610, an input / output (I / O) adapter 620, a sound adapter 630, a network adapter 640, a user interface adapter 650, and a display. An adapter 660 is operably connected.

  The first storage device 622 and the second storage device 624 are operably connected to the system bus 602 by an I / O adapter 620. The storage devices 622 and 624 may be disk storage devices (for example, magnetic disk storage devices or optical disk storage devices), solid magnetic devices, or the like. The storage devices 622 and 624 may be the same type of storage device or different types of storage devices.

  The speaker 632 is operatively connected to the system bus 602 by a sound adapter 630. The transceiver 642 is operatively connected to the system bus 602 by a network adapter 640. Display device 662 is operatively connected to system bus 602 by display adapter 660.

  The first user input device 652, the second user input device 654, and the third user input device 656 are operatively connected to the system bus 602 by a user interface adapter 650. The user input devices 652, 654, and 656 are any of a keyboard, a mouse, a keypad, an image capture device, a motion sensing device, a microphone, or a device that incorporates functions of at least two of these devices. Also good. Other types of input devices can be used as long as the spirit of the present principle is maintained. User input devices 652, 654 and 656 may be the same type of user input device or different types of user input devices. User input devices 652, 654 and 656 are used to input information to and output information from system 600.

  The processing system 600 may include other elements (not shown) that would be readily conceivable by those skilled in the art, and certain elements may be omitted. For example, as will be readily appreciated by those skilled in the art, processing system 600 may include a variety of other input devices and / or output devices depending on the detailed implementation thereof. For example, a variety of wireless and / or wired input devices and / or output devices can be used. Further, as can be easily understood by those skilled in the art, various configurations of additional processors, controllers, memories, and the like can be used. These and other variations of the processing system 600 will be readily apparent to those skilled in the art from the teachings of the present principles provided herein.

  It should be understood that the foregoing is illustrative and exemplary in all respects and not limiting, and the scope of the invention disclosed herein is determined from the detailed description. It should not be determined from the claims, but should be construed based on the maximum breadth permitted by the patent law. The embodiments illustrated and described herein are merely illustrative of the principles of the invention and various modifications can be made by those skilled in the art without departing from the scope and spirit of the invention. I want you to understand. Those skilled in the art can implement various other feature combinations without departing from the scope and spirit of the invention. While the embodiments of the present invention have been described with details and specialities required by the Patent Law, the scope of the claims requiring protection by the patent certificate is set forth in the appended claims. .

Claims (20)

A method for detecting malicious processes,
Computer
And a side representing vertices and event between entities for each system which represent the system entities, as a graph with one or more time stamp corresponding to each of the events between the sides of the two system entities Model system data ,
Generate a set of valid path patterns related to possible attacks ,
Using said random walk on a graph, you determine suspect one or more event sequences in the system based on the graph and the valid route patterns, method. Entity of the system, the file in the system, the process in the system, including the Internet socket in UNIX (registered trademark) socket and said system in said system, method according to claim 1. The method of claim 1, wherein the valid pattern is determined based on an entity type characteristic of the system.   The method of claim 3, wherein the valid path pattern is determined based on a definition provided by a security expert through experience based on past intrusion attacks. The method of claim 1, wherein determining that the one or more event sequences are suspicious comprises the computer performing a breadth-first search for candidate paths in the graph.   The method of claim 5, wherein the breadth-first search comprises a time order constraint based on a time stamp of the edge. Said one or more event sequences is determined that suspicious has said computer, determines that the entity on the sides are shifted from the role of the hand through the normally relates these entities, claims The method according to 1. The determining that entities are deviating from the normal role with respect to those entities comprises the computer determining a sender score for the sender entity and a receiver score for the receiver entity. 8. The method according to 7. 9. Determining one or more event sequences as suspicious comprises the computer calculating an anomaly score based on the sender score and receiver score of each entity in each event sequence. The method described. The method of claim 9, wherein determining one or more event sequences as suspicious comprises the computer normalizing an anomaly score using a boxcox power transform. A system for detecting malicious processes,
Graph with one or more time stamps and a side representing the vertices and events between the entities for each system, each side corresponding to each of the events between the two systems entities that represent system entities A modeling module configured to model system data as
Generate a set of valid route patterns associated with possible attacks and use a random walk on the graph to suspect one or more event sequences in the system based on the graph and the valid route pattern A malicious process path discovery module comprising a processor configured to determine;
Having a system. 12. The system of claim 11, wherein the system entities comprise a file in the system, a process in the system, a UNIX socket in the system, and an internet socket in the system. The system of claim 11, wherein the malicious process path discovery module is further configured to determine a valid pattern based on characteristics of an entity type of the system.   The system of claim 13, wherein the malicious process path discovery module is further configured to determine a valid path pattern based on definitions provided by a security expert with experience based on past intrusion attacks. .   The system of claim 11, wherein the malicious process path discovery module is further configured to perform a breadth-first search of candidate paths within the graph.   The system of claim 15, wherein the breadth-first search comprises a time order constraint based on a time stamp of the edge.   The system of claim 11, wherein the malicious process path discovery module is further configured to determine whether the entities on an edge have deviated from their normal roles with respect to those entities.   The system of claim 17, wherein the malicious process path discovery module is further configured to determine a sender score of a sender entity and a receiver score of a recipient entity.   The system of claim 18, wherein the malicious process path discovery module is further configured to calculate an anomaly score based on the sender score and receiver score of each entity in each event sequence.   The system of claim 19, wherein the malicious process path discovery module is further configured to normalize an anomaly score using a boxcox power transform.

Images