Real-Time Heuristic-Based Detection of Attacks Performed on a Linux Machine Using Osquery

Real-Time Heuristic-Based Detection of Attacks Performed on a Linux Machine Using Osquery

연구 분야: Safety

학회: SN Computer Science

With the increase in Unix-based operating system for web servers and IoT devices, it has become crucial to detect attacks that are performed on these critical devices. Detection can be done at multiple layers of David Bianco's Pyramid of Pain [http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html] which consists of the following layers: TTPs, Tools, Network/Host Artifacts, Domain Names, IP Address, and Hash Values. As majority of recent work focuses on machine learning to help detect attack, our focus of this paper is detection of attacks predominantly at the TTPs, Tools, and Network/Host Artifacts levels using heuristic-based detection. This will allow us to provide detection in depth to machine learning models by detecting known bad that is sometimes missed by machine learning models. Using osquery, we were able to create a real-time heuristic-based detection script for Linux. This script takes in each log from the osquery and tries to match against various conditions to detect initial connections, lateral movement, and privilege escalation.