Leveraging Root Cause Analysis for Mimicry Attack Detection

Abstract

Cyber attacks are a constant threat to all computer systems, and there are many different approaches to detecting attacks in real-time. One such approach is a Host- Based Intrusion Detection System (HIDS), which detects threats on a single host machine. A recent addition to HIDS is Provenance-Graphs [1], [2], which creates a representation of the flow of all system calls. Many of these systems condense the provenance data for increased space efficiency. This, however, creates a vulnerability for a type of evasion attack called Mimicry Attack. Mimicry Attacks work by copying benign sequences of system calls and injecting them into the attack to mask their malicious intent. This thesis aims to combat this vulnerability by incorporating coarse-grained Root Cause Analysis (RCA) into Provence-Graph-based HIDSs (Prov-HIDS). Earlier attempts at fine-grained RCA, where the analysis is done on the process level, have been successful in detecting Mimicry Attacks. These solutions have, however, had significant overhead, consuming most of the host’s resources [3]. The thesis aims to combat this issue by utilising the summarisation approach of coarse-grained detection models on the system’s root nodes. This solution increases the context for the classification models during threat detection. The detection accuracy increased from 13.4% for the Unicorn Prov-HIDS to 99.5% with the RCA implementation, when evaluated against the StreamSpot dataset. With only a 4.97% increase in execution time and a 2.17% peak memory consumption increase. However, the RCA implementation also caused issues with misclassification of benign data. The findings also raise concerns about the reliability of existing datasets. To address these challenges, new dataset criteria are proposed, and the development of a new, high-quality dataset is essential to advance research in this field.