research-article

Tiresias: Predicting Security Events Through Deep Learning

Authors:

Enrico Mariconti,

Pierre Antoine Vervier,

Gianluca StringhiniAuthors Info & Claims

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

Pages 592 - 605

https://doi.org/10.1145/3243734.3243811

Published: 15 October 2018 Publication History

Abstract

With the increased complexity of modern computer attacks, there is a need for defenders not only to detect malicious activity as it happens, but also to predict the specific steps that will be taken by an adversary when performing an attack. However this is still an open research problem, and previous research in predicting malicious events only looked at binary outcomes (eg. whether an attack would happen or not), but not at the specific steps that an attacker would undertake. To fill this gap we present Tiresias xspace, a system that leverages Recurrent Neural Networks (RNNs) to predict future events on a machine, based on previous observations. We test Tiresias xspace on a dataset of 3.4 billion security events collected from a commercial intrusion prevention system, and show that our approach is effective in predicting the next event that will occur on a machine with a precision of up to 0.93. We also show that the models learned by Tiresias xspace are reasonably stable over time, and provide a mechanism that can identify sudden drops in precision and trigger a retraining of the system. Finally, we show that the long-term memory typical of RNNs is key in performing event prediction, rendering simpler methods not up to the task.

Supplementary Material

MP4 File (p592-shen.mp4)

Download
393.47 MB

References

[1]

Leyla Bilge, Yufei Han, and Matteo Dell'Amico. 2017. RiskTeller: Predicting the Risk of Cyber Incidents. In ACM CCS.

Digital Library

[2]

Peter F. Brown, Peter V. deSouza, Robert L. Mercer, Vincent J. Della Pietra, and Jenifer C. Lai. 1992. Class-based N-gram Models of Natural Language. Comput. Linguist., Vol. 18, 4 (1992).

Digital Library

[3]

Ping Chen, Lieven Desmet, and Christophe Huygens. 2014. A study on advanced persistent threats. In IFIP International Conference on Communications and Multimedia Security.

[4]

Zheng Leong Chua, Shiqi Shen, Prateek Saxena, and Zhenkai Liang. 2017. Neural Nets Can Learn Function Type Signatures From Binaries. In USENIX Security Symposium.

Digital Library

[5]

Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2010. Detection and analysis of drive-by-download attacks and malicious JavaScript code. In International Conference on World Wide Web.

Digital Library

[6]

Brown Farinholt, Mohammad Rezaeirad, Paul Pearce, Hitesh Dharmdasani, Haikuo Yin, Stevens Le Blond, Damon McCoy, and Kirill Levchenko. 2017. To catch a ratter: Monitoring the behavior of amateur darkcomet rat operators in the wild. In IEEE Symposium on Security and Privacy.

[7]

Guofei Gu, Phillip A Porras, Vinod Yegneswaran, Martin W Fong, and Wenke Lee. 2007. Bothunter: Detecting malware infection through ids-driven dialog correlation. In USENIX Security Symposium.

Digital Library

[8]

Michiel Hermans and Benjamin Schrauwen. 2013. Training and analysing deep recurrent neural networks. In NIPS.

Digital Library

[9]

Grant Ho, Aashish Sharma, Mobin Javed, Vern Paxson, and David Wagner. 2017. Detecting Credential Spearphishing in Enterprise Settings. In USENIX Security Symposium.

Digital Library

[10]

Lukasz Kaiser, Ofir Nachum, Aurko Roy, and Samy Bengio. 2017. Learning to Remember Rare Events. In ICLR.

[11]

Kamvar Kamvar, Sepandar Sepandar, Klein Klein, Dan Dan, Manning Manning, and Christopher Christopher. 2003. Spectral learning. In IJCAI.

Digital Library

[12]

Amin Kharraz, William Robertson, Davide Balzarotti, Leyla Bilge, and Engin Kirda. 2015. Cutting the gordian knot: A look under the hood of ransomware attacks. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA).

Digital Library

[13]

Yoon Kim, Yacine Jernite, David Sontag, and Alexander M Rush. 2016. Character-Aware Neural Language Models. In AAAI.

Digital Library

[14]

Eugene Kolodenker, William Koch, Gianluca Stringhini, and Manuel Egele. 2017. PayBreak: defense against cryptographic ransomware. In ACM Asia Conference on Computer and Communications Security (ASIACCS).

Digital Library

[15]

Christopher Kruegel and Giovanni Vigna. 2003. Anomaly detection of web-based attacks. In ACM Conference on Computer and Communications Security (CCS).

Digital Library

[16]

Junseok Kwon and Kyoung Mu Lee. 2012. A unified framework for event summarization and rare event detection. In CVPR.

[17]

Stevens Le Blond, Adina Uritesc, Cédric Gilbert, Zheng Leong Chua, Prateek Saxena, and Engin Kirda. 2014. A Look at Targeted Attacks Through the Lense of an NGO. In USENIX Security Symposium.

Digital Library

[18]

Yang Liu, Armin Sarabi, Jing Zhang, Parinaz Naghizadeh, Manish Karir, Michael Bailey, and Mingyan Liu. 2015. Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents. In USENIX Security Symposium.

Digital Library

[19]

Yang Liu, Jing Zhang, Armin Sarabi, Mingyan Liu, Manish Karir, and Michael Bailey. 2015. Predicting cyber security incidents using feature-based characterization of network-level malicious activities. In ACM International Workshop on Security and Privacy Analytics.

Digital Library

[20]

Enrico Mariconti, Lucky Onwuzurike, Panagiotis Andriotis, Emiliano De Cristofaro, Gordon Ross, and Gianluca Stringhini. 2017. Mamadroid: Detecting android malware by building markov chains of behavioral models. In Network and Distributed Systems Security Symposium (NDSS).

[21]

William Melicher, Blase Ur, Sean M Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2016. Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks. In USENIX Security Symposium.

Digital Library

[22]

Guineng Zheng Min Du, Feifei Li and Vivek Srikumar. 2017. DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning. In ACM Conference on Computer and Communication Security (CCS).

Digital Library

[23]

James R Norris. 1998. Markov chains. Number 2. Cambridge university press.

[24]

Razvan Pascanu, Jack W Stokes, Hermineh Sanossian, Mady Marinescu, and Anil Thomas. 2015. Malware classification with recurrent networks. In IEEE ICASSP.

[25]

Niels Provos, Markus Friedl, and Peter Honeyman. 2003. Preventing Privilege Escalation. In USENIX Security Symposium.

Digital Library

[26]

Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang, Nagendra Modadugu, et al. 2007. The Ghost in the Browser: Analysis of Web-based Malware. HotBots.

Digital Library

[27]

Kamil Rocki. 2016. Recurrent memory array structures. arXiv preprint arXiv:1607.03085 (2016).

[28]

Carl Sabottke, Octavian Suciu, and Tudor Dumitras. 2015. Vulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-World Exploits. In USENIX Security Symposium. 1041--1056.

Digital Library

[29]

Eui Chul Richard Shin, Dawn Song, and Reza Moazzezi. 2015. Recognizing Functions in Binaries with Neural Networks. In USENIX Security Symposium.

Digital Library

[30]

Kyle Soska and Nicolas Christin. 2014. Automatically Detecting Vulnerable Websites Before They Turn Malicious. In USENIX Security Symposium. 625--640.

Digital Library

[31]

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna. 2009. Your botnet is my botnet: analysis of a botnet takeover. In ACM Conference on Computer and Communications Security.

Digital Library

[32]

Gianluca Stringhini, Yun Shen, Yufei Han, and Xiangliang Zhang. 2017. Marmite: Spreading Malicious File Reputation Through Download Graphs. In Annual Computer Security Applications Conference (ACSAC).

Digital Library

[33]

Gianluca Stringhini and Olivier Thonnard. 2015. That ain't you: Blocking spearphishing through behavioral modelling. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA).

Digital Library

[34]

Christina Warrender, Stephanie Forrest, and Barak Pearlmutter. 1999. Detecting intrusions using system calls: Alternative data models. In IEEE Symposium on Security and Privacy.

[35]

Gary M Weiss and Haym Hirsh. 1998. Learning to Predict Rare Events in Event Sequences. In KDD.

Digital Library

[36]

Jianxin Wu, James M Rehg, and Matthew D Mullin. 2004. Learning a rare event detection cascade by direct feature selection. In NIPS.

Digital Library

[37]

Saizheng Zhang, Yuhuai Wu, Tong Che, Zhouhan Lin, Roland Memisevic, Ruslan R Salakhutdinov, and Yoshua Bengio. 2016. Architectural complexity measures of recurrent neural networks. In NIPS.

Digital Library

Cited By

Fei KZhou JSu LWang WChen Y(2024)Log2Graph: A graph convolution neural network based method for insider threat detectionJournal of Computer Security10.3233/JCS-230092(1-24)Online publication date: 24-Apr-2024
https://doi.org/10.3233/JCS-230092
Li TLiu XQiao WZhu XShen YMa J(2024)T-Trace: Constructing the APTs Provenance Graphs Through Multiple Syslogs CorrelationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.327391821:3(1179-1195)Online publication date: May-2024
https://doi.org/10.1109/TDSC.2023.3273918
Liao HLeng SYang JXu JZhang JTang J(2024)A Robust and Efficient Risk Assessment Framework for Multi-Step Attacks2024 7th International Conference on Information and Computer Technologies (ICICT)10.1109/ICICT62343.2024.00056(309-314)Online publication date: 15-Mar-2024
https://doi.org/10.1109/ICICT62343.2024.00056
Show More Cited By

Index Terms

Tiresias: Predicting Security Events Through Deep Learning
1. Computing methodologies
  1. Machine learning
    1. Machine learning approaches
      1. Neural networks
2. Security and privacy
  1. Systems security

Recommendations

Prediction of MPEG Traffic Data Using a Bilinear Recurrent Neural Network with Adaptive Training
ICCET '09: Proceedings of the 2009 International Conference on Computer Engineering and Technology - Volume 02

A time-series prediction model using a Bilinear Recurrent Neural Network (BRNN) is proposed in this paper. The BRNN model used in this paper is the Multiresolution architecture with an adaptive training mode. The Multiresolution Bilinear Recurrent ...
Prediction of chaotic time series based on the recurrent predictor neural network

Chaos limits predictability so that the long-term prediction of chaotic time series is very difficult. The main purpose of this paper is to study a new methodology to model and predict chaotic time series based on a new recurrent predictor neural ...
Denial of service attacks, defences and research challenges

This paper presents a review of current denial of service (DoS) attack and defence concepts, from a theoretical ad practical point of view. Seriousness of DoS attacks is tangible and they present one of the most significant threats to assurance of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security

October 2018

2359 pages

ISBN:9781450356930

DOI:10.1145/3243734

General Chairs:
David Lie
University of Toronto
,
Mohammad Mannan
Concordia University
,
Program Chairs:
Michael Backes
CISPA Helmholtz Center i.G.
,
XiaoFeng Wang
Indiana University

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 October 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

EPSRC

Conference

CCS '18

Sponsor:

SIGSAC

CCS '18: 2018 ACM SIGSAC Conference on Computer and Communications Security

October 15 - 19, 2018

Toronto, Canada

Acceptance Rates

CCS '18 Paper Acceptance Rate 134 of 809 submissions, 17%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

84
Total Citations
View Citations
1,991
Total Downloads

Downloads (Last 12 months)195
Downloads (Last 6 weeks)11

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Fei KZhou JSu LWang WChen Y(2024)Log2Graph: A graph convolution neural network based method for insider threat detectionJournal of Computer Security10.3233/JCS-230092(1-24)Online publication date: 24-Apr-2024
https://doi.org/10.3233/JCS-230092
Li TLiu XQiao WZhu XShen YMa J(2024)T-Trace: Constructing the APTs Provenance Graphs Through Multiple Syslogs CorrelationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.327391821:3(1179-1195)Online publication date: May-2024
https://doi.org/10.1109/TDSC.2023.3273918
Liao HLeng SYang JXu JZhang JTang J(2024)A Robust and Efficient Risk Assessment Framework for Multi-Step Attacks2024 7th International Conference on Information and Computer Technologies (ICICT)10.1109/ICICT62343.2024.00056(309-314)Online publication date: 15-Mar-2024
https://doi.org/10.1109/ICICT62343.2024.00056
Dietz KMühlhauser MKögel JSchwinger SSichermann MSeufert MHerrmann DHoßfeld T(2024)The Missing Link in Network Intrusion Detection: Taking AI/ML Research Efforts to UsersIEEE Access10.1109/ACCESS.2024.340693912(79815-79837)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3406939
Liu YGuo Y(2024) CL-AP : A composite learning approach to attack prediction via attack portraying Journal of Network and Computer Applications10.1016/j.jnca.2024.103963230(103963)Online publication date: Oct-2024
https://doi.org/10.1016/j.jnca.2024.103963
Yue HLi TWu DZhang RYang Z(2024)Detecting APT attacks using an attack intent-driven and sequence-based learning approachComputers and Security10.1016/j.cose.2024.103748140:COnline publication date: 1-May-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103748
Zacharis AKatos VPatsakis C(2024)Integrating AI-driven threat intelligence and forecasting in the cyber security exercise content generation lifecycleInternational Journal of Information Security10.1007/s10207-024-00860-w23:4(2691-2710)Online publication date: 10-May-2024
https://doi.org/10.1007/s10207-024-00860-w
Nikiema SSabane AKabore AKafando RBissyande T(2024)Detecting Illicit Data Leaks on Android Smartphones Using an Artificial Intelligence ModelsArtificial Intelligence Applications and Innovations10.1007/978-3-031-63215-0_14(186-200)Online publication date: 19-Jun-2024
https://doi.org/10.1007/978-3-031-63215-0_14
de Souza RSilva VJunior SZarpelão B(2024)Forecasting Malware Incident Rates in Higher Education InstitutionsAdvanced Information Networking and Applications10.1007/978-3-031-57916-5_20(226-237)Online publication date: 9-Apr-2024
https://doi.org/10.1007/978-3-031-57916-5_20
Jiang PHuang RLi DGuo YChen XLuan JRen YHu XCalandrino JTroncoso C(2023)Auditing frameworks need resource isolationProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620258(355-372)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620258
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents