You Cannot Escape Me: Detecting Evasions of SIEM Rules in Enterprise Networks

• URL: http://arxiv.org/abs/2311.10197v2
• Date: Tue, 19 Dec 2023 20:54:12 GMT
• Title: You Cannot Escape Me: Detecting Evasions of SIEM Rules in Enterprise Networks
• Authors: Rafael Uetz, Marco Herzog, Louis Hackländer, Simon Schwarz, Martin Henze,
• Abstract summary: We present AMIDES, an open-source proof-of-concept adaptive misuse detection system. We show that AMIDES successfully detects a majority of these evasions without any false alerts.
• Score: 2.310746340159112
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Cyberattacks have grown into a major risk for organizations, with common consequences being data theft, sabotage, and extortion. Since preventive measures do not suffice to repel attacks, timely detection of successful intruders is crucial to stop them from reaching their final goals. For this purpose, many organizations utilize Security Information and Event Management (SIEM) systems to centrally collect security-related events and scan them for attack indicators using expert-written detection rules. However, as we show by analyzing a set of widespread SIEM detection rules, adversaries can evade almost half of them easily, allowing them to perform common malicious actions within an enterprise network without being detected. To remedy these critical detection blind spots, we propose the idea of adaptive misuse detection, which utilizes machine learning to compare incoming events to SIEM rules on the one hand and known-benign events on the other hand to discover successful evasions. Based on this idea, we present AMIDES, an open-source proof-of-concept adaptive misuse detection system. Using four weeks of SIEM events from a large enterprise network and more than 500 hand-crafted evasions, we show that AMIDES successfully detects a majority of these evasions without any false alerts. In addition, AMIDES eases alert analysis by assessing which rules were evaded. Its computational efficiency qualifies AMIDES for real-world operation and hence enables organizations to significantly reduce detection blind spots with moderate effort.

Related papers

• Visually Analyze SHAP Plots to Diagnose Misclassifications in ML-based Intrusion Detection [0.3199881502576702]
  Intrusion detection system (IDS) can essentially mitigate threats by providing alerts. In order to detect these threats various machine learning (ML) and deep learning (DL) models have been proposed. In this paper, we propose an explainable artificial intelligence (XAI) based visual analysis approach using overlapping SHAP plots.
  arXiv  Detail & Related papers  (2024-11-04T23:08:34Z)
• HADES: Detecting Active Directory Attacks via Whole Network Provenance Analytics [7.203330561731627]
  Active Directory (AD) is a top target of Advanced Persistence Threat (APT) actors. We propose HADES, the first PIDS capable of performing accurate causality-based cross-machine tracing. We introduce a novel lightweight authentication anomaly detection model rooted in our analysis of AD attacks.
  arXiv  Detail & Related papers  (2024-07-26T16:46:29Z)
• Rethinking the Vulnerabilities of Face Recognition Systems:From a Practical Perspective [53.24281798458074]
  Face Recognition Systems (FRS) have increasingly integrated into critical applications, including surveillance and user authentication. Recent studies have revealed vulnerabilities in FRS to adversarial (e.g., adversarial patch attacks) and backdoor attacks (e.g., training data poisoning)
  arXiv  Detail & Related papers  (2024-05-21T13:34:23Z)
• Illusory Attacks: Information-Theoretic Detectability Matters in Adversarial Attacks [76.35478518372692]
  We introduce epsilon-illusory, a novel form of adversarial attack on sequential decision-makers. Compared to existing attacks, we empirically find epsilon-illusory to be significantly harder to detect with automated methods. Our findings suggest the need for better anomaly detectors, as well as effective hardware- and system-level defenses.
  arXiv  Detail & Related papers  (2022-07-20T19:49:09Z)
• Early Detection of Network Attacks Using Deep Learning [0.0]
  A network intrusion detection system (IDS) is a tool used for identifying unauthorized and malicious behavior by observing the network traffic. We propose an end-to-end early intrusion detection system to prevent network attacks before they could cause any more damage to the system under attack.
  arXiv  Detail & Related papers  (2022-01-27T16:35:37Z)
• SAGE: Intrusion Alert-driven Attack Graph Extractor [4.530678016396476]
  Attack graphs (AGs) are used to assess pathways availed by cyber adversaries to penetrate a network. We propose to automatically learn AGs based on actions observed through intrusion alerts, without prior expert knowledge.
  arXiv  Detail & Related papers  (2021-07-06T17:45:02Z)
• A Rule Mining-Based Advanced Persistent Threats Detection System [2.75264806444313]
  Advanced persistent threats (APT) are stealthy cyber-attacks aimed at stealing valuable information from target organizations. Provenance-tracking and trace mining are considered promising as they can help find causal relationships between activities and flag suspicious event sequences as they occur. We introduce an unsupervised method that exploits OS-independent features reflecting process activity to detect realistic APT-like attacks from provenance traces.
  arXiv  Detail & Related papers  (2021-05-20T22:13:13Z)
• TANTRA: Timing-Based Adversarial Network Traffic Reshaping Attack [46.79557381882643]
  We present TANTRA, a novel end-to-end Timing-based Adversarial Network Traffic Reshaping Attack. Our evasion attack utilizes a long short-term memory (LSTM) deep neural network (DNN) which is trained to learn the time differences between the target network's benign packets. TANTRA achieves an average success rate of 99.99% in network intrusion detection system evasion.
  arXiv  Detail & Related papers  (2021-03-10T19:03:38Z)
• No Need to Know Physics: Resilience of Process-based Model-free Anomaly Detection for Industrial Control Systems [95.54151664013011]
  We present a novel framework to generate adversarial spoofing signals that violate physical properties of the system. We analyze four anomaly detectors published at top security conferences.
  arXiv  Detail & Related papers  (2020-12-07T11:02:44Z)
• Measurement-driven Security Analysis of Imperceptible Impersonation Attacks [54.727945432381716]
  We study the exploitability of Deep Neural Network-based Face Recognition systems. We show that factors such as skin color, gender, and age, impact the ability to carry out an attack on a specific target victim. We also study the feasibility of constructing universal attacks that are robust to different poses or views of the attacker's face.
  arXiv  Detail & Related papers  (2020-08-26T19:27:27Z)
• Investigating Robustness of Adversarial Samples Detection for Automatic Speaker Verification [78.51092318750102]
  This work proposes to defend ASV systems against adversarial attacks with a separate detection network. A VGG-like binary classification detector is introduced and demonstrated to be effective on detecting adversarial samples.
  arXiv  Detail & Related papers  (2020-06-11T04:31:56Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.