English

ProblemChild: Discovering Anomalous Patterns based on Parent-Child Process Relationships

Cryptography and Security 2020-08-12 v1

Abstract

It is becoming more common that adversary attacks consist of more than a standalone executable or script. Often, evidence of an attack includes conspicuous process heritage that may be ignored by traditional static machine learning models. Advanced attacker techniques, like "living off the land" that appear normal in isolation become more suspicious when observed in a parent-child context. The context derived from parent-child process chains can help identify and group malware families, as well as discover novel attacker techniques. Adversaries chain these techniques to achieve persistence, bypass defenses, and execute actions. Traditional heuristic-based detections often generate noise or disparate events that belong to what constitutes a single attack. ProblemChild is a graph-based framework designed to address these issues. ProblemChild applies a supervised learning classifier to derive a weighted graph used to identify communities of seemingly disparate events into larger attack sequences. ProblemChild applies conditional probability to automatically rank anomalous communities as well as suppress commonly occurring parent-child chains. In combination, this framework can be used by analysts to aid in the crafting or tuning of detectors and reduce false-positives over time. We evaluate ProblemChild against the 2018 MITRE ATT&CK(TM) emulation of APT3 attack to demonstrate its promise in identifying anomalous parent-child process chains.

Keywords

Cite

@article{arxiv.2008.04676,
  title  = {ProblemChild: Discovering Anomalous Patterns based on Parent-Child Process Relationships},
  author = {Bobby Filar and David French},
  journal= {arXiv preprint arXiv:2008.04676},
  year   = {2020}
}

Comments

VirusBulletin 2019

R2 v1 2026-06-23T17:46:36.239Z