Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

PARIS: A Practical, Adaptive Trace-Fetching and Real-Time Malicious Behavior Detection System

Jian Wang, Lingzhi Wang, Husheng Yu, Xiangmin Shen, Yan Chen

TL;DR

PARIS, an adaptive trace fetching, lightweight, real-time malicious behavior detection system that decreases the overhead on the host in terms of memory, bandwidth, and CPU usage with a similar detection accuracy to the baselines that suffer from the high overhead.

Abstract

The escalating sophistication of cyber-attacks and the widespread utilization of stealth tactics have led to significant security threats globally. Nevertheless, the existing static detection methods exhibit limited coverage, and traditional dynamic monitoring approaches encounter challenges in bypassing evasion techniques. Thus, it has become imperative to implement nuanced and dynamic analysis to achieve precise behavior detection in real time. There are two pressing concerns associated with current dynamic malware behavior detection solutions. Firstly, the collection and processing of data entail a significant amount of overhead, making it challenging to be employed for real-time detection on the end host. Secondly, these approaches tend to treat malware as a singular entity, thereby overlooking varied behaviors within one instance. To fill these gaps, we propose PARIS, an adaptive trace fetching, lightweight, real-time malicious behavior detection system. Specifically, we monitor malicious behavior with Event Tracing for Windows (ETW) and learn to selectively collect maliciousness-related APIs or call stacks, significantly reducing the data collection overhead. As a result, we can monitor a wider range of APIs and detect more intricate attack behavior. We implemented a prototype of PARIS and evaluated the system overhead, the accuracy of comparative behavior recognition, and the impact of different models and parameters. The result demonstrates that PARIS can reduce over 98.8% of data compared to the raw ETW trace and hence decreases the overhead on the host in terms of memory, bandwidth, and CPU usage with a similar detection accuracy to the baselines that suffer from the high overhead. Furthermore, a breakdown evaluation shows that 80% of the memory and bandwidth savings and a complete reduction in CPU usage can be attributed to our adaptive trace-fetching collector.

PARIS: A Practical, Adaptive Trace-Fetching and Real-Time Malicious Behavior Detection System

TL;DR

PARIS, an adaptive trace fetching, lightweight, real-time malicious behavior detection system that decreases the overhead on the host in terms of memory, bandwidth, and CPU usage with a similar detection accuracy to the baselines that suffer from the high overhead.

Abstract

The escalating sophistication of cyber-attacks and the widespread utilization of stealth tactics have led to significant security threats globally. Nevertheless, the existing static detection methods exhibit limited coverage, and traditional dynamic monitoring approaches encounter challenges in bypassing evasion techniques. Thus, it has become imperative to implement nuanced and dynamic analysis to achieve precise behavior detection in real time. There are two pressing concerns associated with current dynamic malware behavior detection solutions. Firstly, the collection and processing of data entail a significant amount of overhead, making it challenging to be employed for real-time detection on the end host. Secondly, these approaches tend to treat malware as a singular entity, thereby overlooking varied behaviors within one instance. To fill these gaps, we propose PARIS, an adaptive trace fetching, lightweight, real-time malicious behavior detection system. Specifically, we monitor malicious behavior with Event Tracing for Windows (ETW) and learn to selectively collect maliciousness-related APIs or call stacks, significantly reducing the data collection overhead. As a result, we can monitor a wider range of APIs and detect more intricate attack behavior. We implemented a prototype of PARIS and evaluated the system overhead, the accuracy of comparative behavior recognition, and the impact of different models and parameters. The result demonstrates that PARIS can reduce over 98.8% of data compared to the raw ETW trace and hence decreases the overhead on the host in terms of memory, bandwidth, and CPU usage with a similar detection accuracy to the baselines that suffer from the high overhead. Furthermore, a breakdown evaluation shows that 80% of the memory and bandwidth savings and a complete reduction in CPU usage can be attributed to our adaptive trace-fetching collector.

Paper Structure

This paper contains 47 sections, 7 equations, 16 figures, 6 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Malicious Behaviors in APT Attacks
  4. ETW-based Audit Logging
  5. Motivation Example
  6. System Overview
  7. Threat Model
  8. Framework
  9. Malicious Behavior Modeling
  10. PHF-Irrelevant events reduction
  11. API Selection
  12. API Association Analysis
  13. Select API from Detection Model
  14. Call Stack Selection
  15. Detection Model
  16. ...and 32 more sections

Figures (16)

  • Figure 1: Trade off between two strategies
  • Figure 2: APT attack lifecycle.
  • Figure 3: A parsed full call stack example in ETW event.
  • Figure 4: Motivation Example. (The red dotted box shows the process call stack information)
  • Figure 5: The structure of PARIS, including the behavior modeling part (training phase) and real-time detecting part (detecting phase). (The blocks in blue represent the data processing pipeline before detection.)
  • ...and 11 more figures