Browse > Article
http://dx.doi.org/10.33778/kcsa.2021.21.3.013

MITRE ATT&CK and Anomaly detection based abnormal attack detection technology research  

Hwang, Chan-Woong (호서대학교 정보보호학과)
Bae, Sung-Ho (호서대학교 정보보호학과)
Lee, Tae-Jin (호서대학교 컴퓨터공학부)
Publication Information
Convergence Security Journal / v.21, no.3, 2021 , pp. 13-23 More about this Journal
Abstract
The attacker's techniques and tools are becoming intelligent and sophisticated. Existing Anti-Virus cannot prevent security accident. So the security threats on the endpoint should also be considered. Recently, EDR security solutions to protect endpoints have emerged, but they focus on visibility. There is still a lack of detection and responsiveness. In this paper, we use real-world EDR event logs to aggregate knowledge-based MITRE ATT&CK and autoencoder-based anomaly detection techniques to detect anomalies in order to screen effective analysis and analysis targets from a security manager perspective. After that, detected anomaly attack signs show the security manager an alarm along with log information and can be connected to legacy systems. The experiment detected EDR event logs for 5 days, and verified them with hybrid analysis search. Therefore, it is expected to produce results on when, which IPs and processes is suspected based on the EDR event log and create a secure endpoint environment through measures on the suspicious IP/Process.
Keywords
EDR; MITRE ATT&CK; Anomaly Detection; AutoEncoder; Process Analysis;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Aljawarneh, Shadi, Monther Aldwairi, and Muneer Bani Yassein, "Anomaly-based intrusion detection system through feature selection analysis and building hybrid efficient model", Journal of Computational Science, Vol. 25, pp. 152-160, 2018.   DOI
2 Chandola, Varun, Arindam Banerjee, and Vipin Kumar, "Anomaly detection: A survey." ACM computing surveys (CSUR), Vol. 41, No. 3, pp. 1-58, 2009.
3 Ahmed, Mohiuddin, Abdun Naser Mahmood, and Jiankun Hu, "A survey of network anomaly detection techniques." Journal of Network and Computer Applications, Vol. 60, pp. 19-31, 2016.   DOI
4 Jabez, Ja, and B. Muthukumar, "Intrusion detection system (IDS): anomaly detection using outlier detection approach", Procedia Computer Science, Vol. 48, pp. 338-346, 2015.   DOI
5 Cook, Andrew A., Goksel Misirli, and Zhong Fan, "Anomaly detection for IoT time-series data: A survey", IEEE Internet of Things Journal, Vol. 7, No. 7, pp. 6481-6494, 2019.   DOI
6 한국인터넷진흥원, "사이버 위협 동향 보고서(2020년 1분기)", pp. 1-104, 2020년 4월..
7 한국인터넷진흥원, "사이버 위협 동향 보고서(2020년 2분기)", pp. 1-124, 2020년 7월..
8 하우리, "악성코드분류별통계", https://www.hauri.co.kr/security/malicious_pop01.html, 2021년 3월..
9 MITRE, "MITRE ATT&CK," https://www.attack.mitre.org Mar. 2021.
10 Abdallah, Aisha, Mohd Aizaini Maarof, and Anazida Zainal, "Fraud detection system: A survey." Journal of Network and Computer Applications, Vol. 68, pp. 90-113, 2016.   DOI
11 HYBRID ANALYSIS, "Hybrid-nalysis," https://www.hybrid-analysis.com/?lang=ko Mar. 2021.
12 Chalapathy, Raghavendra, and Sanjay Chawla, "Deep learning for anomaly detection: A survey", arXiv preprint, arXiv:1901.03407, 2019.
13 Bontemps, Loic, James McDermott, and Nhien-AnLe-Khac, "Collective anomaly detection based on long short-term memory recurrent neural networks", International Conference on Future Data and Security Engineering. Springer, Cham, 2016.
14 DARKTRACE, "Enterprise Immune System," https://www.darktrace.com/ko/ Mar. 2021