The Josef Ressel Center for Unified Threat Intelligence on Targeted Attacks (TARGET) is a research institution operated by the St. Pölten University of Applied Sciences. The mission of the center is to explore novel techniques for detecting and mitigating targeted attacks.
Stefan Marschalek, Robert Luh and Sebastian Schrittwieser. Endpoint data classification using Markov chains.
Behavior based analysis of software executed in a sandbox environment has become an established part of malware and APT detection. In this paper, we explore a unique approach to conduct such an analysis based on data generated by live corporate workstations.
We specifically collect high-level Windows events via a real-time kernel monitoring agent and build event propagation trees on top of it. Those trees are representative for the behavior exhibited by the programs running on the monitored machine. After a necessary discretization phase we use a moderately modified version of the Markov chain algorithm to create a distance matrix based on the discretized behavioral profiles. Distance based clustering is then applied to classify the processes in question.
We evaluated our approach on a goodware dataset collected on actively used workstations. Initial results show that the Markov approach can be used to reliably classify arbitrary processes and helps identify potentially harmful outliers.
Martin Valicek, Gregor Schramm, Martin Pirker and Sebastian Schrittwieser. Creation and Integration of Remote High Interaction Honeypots.
The internet connects an uncountable number of users and their devices, no one has a global overview anymore. This state of constant chaos poses the problem of detecting novel, previously unknown attacks and attackers, and therefore requires creative strategies to detect and study them as early as possible. One approach is the use of honeypots to bait attacks into separate, dedicated systems and study them there. This paper explores the construction of high-interaction honeypots based on Docker containers, both for Windows and Linux operating systems. A core challenge is the transparent integration of honeypots into an existing company’s network, although they are located off-site and not directly on a company’s premises. We report practical prototyping experiences with Linux and Windows as container hosts for a diverse set of services and the limits we encountered in current software versions as they impede our effort.
Sebastian Eresheim, Robert Luh, Sebastian Schrittwieser. The Evolution of Process Hiding Techniques in Malware – Current Threats and Possible Countermeasures. Journal of Information Processing (JIP) – Special issue of “Computer Security Technologies against Sophisticated Cyber Attacks”. 2017
Rootkits constitute a significant threat to modern computing and information systems. Since their first appearance in the early 1990’s they have steadily evolved, adapting to ever-improving security measures. One central aspect rootkits have in common is the ability to hide their malicious presence and activities from the operating system and its legitimate users.
In this paper we systematically analyze process hiding techniques routinely used by rootkit malware. We summarize the characteristics of the different approaches and discuss their advantages and limitations. Furthermore, we assess detection and prevention techniques that have been introduced in operating systems in response to the threat of hidden malware. Our results show that the arms race between rootkit authors and defenders is far from over. At the same time we see a pronounced shift towards powerful VM-based techniques that will continue to evolve over the coming years.
Peter Kieseberg, Sebastian Schrittwieser, Bernd Malle, Edgar Weippl, Andreas Holzinger. Das Testen von Algorithmen in sensibler datengetriebener Forschung. 41. WI-MAW-Rundbrief der Gesellschaft für Informatik (GI), 2017
German Abstract: Datengetrieben Forschung ist ein wesentlicher Bestandteil in der Entwicklung neuer Methoden zur Modellbildung und Simulation, aber auch im Bereich des Machine Learning und darauf aufbauender neuer und zukunftsweisender Forschungsgebiete. Speziell in den letzten Jahren hat sich datengetriebene Forschung als die treibende Kraft in verschiedensten wissenschaftlichen Disziplinen etabliert, angefangen von medizinischer Forschung (z.B. Biomarker Research für Personalisierte Medizin), bis hin zur Automatisierungstechnik (Selbstfahrende Fahrzeuge, Industrie 4.0 etc.). Ein wesentliches Problem ist dabei stets der Umgang mit sensiblen – insbesondere mit personenbezogenen – Daten. Während solche Datenmengen besonderem Schutz unterliegen, ist es für das Testen von neuen Algorithmen unumgänglich, möglichst realitätsnahe Datenmengen zu verwenden. Im Rahmen dieses Artikels stellen wir einige Grundproblematiken der datengetriebenen Forschung dar und diskutieren einige Lösungsansätze.
Our poster “Design of an Anomaly-based Threat Detection & Explication System” got accepted at SACMAT 2017.
Abstract: The poster corresponding to this summary depicts a proposition of a system able to explain anomalous behavior within a user session by considering anomalies identified through their deviation from a set of baseline process graphs.
We adapt star structures, a bipartite representation used to approximate the edit distance between two graphs. Relevant processes are selected from a dictionary of benign and malicious traces generated through a sentiment-like bigram extraction and scoring system based on the log likelihood ratio test.
We prototypically implemented smart anomaly explication through a number of competency questions derived and evaluated by a decision tree. The determined key factors are ultimately mapped to a dedicated APT attack stage ontology that considers actions, actors, as well as target assets.
Robert Luh, Sebastian Schrittwieser, Stefan Marschalek. “LLR-based sentiment analysis for kernel event sequences”. Proceedings of the 31st IEEE International Conference on Advanced Information Networking and Applications (AINA), 2017
Behavior-based analysis of dynamically executed binaries has become a widely used technique for the identification of suspected malware. Most solutions rely on function call patterns to determine whether a sample is exhibiting malicious behavior. These system and API calls are usually regarded individually and do not consider contextual information or process inter-dependencies. In addition, the patterns are often fixed in nature and do not adapt to changing circumstances on the system environment level.
To address these shortcomings, this paper proposes a sentiment extraction and scoring system capable of learning the maliciousness inherent to n-grams of kernel events captured by a real-time monitoring agent. The approach is based on calculating the log likelihood ratio (LLR) of all identified n-grams, effectively determining neighboring sequences as well as assessing whether certain event combinations incline towards the benign or malicious. The extraction component automatically compiles a WordNet-like sentiment dictionary of events, which is subsequently used to score unknown traces of either individual processes, or a session in its entirety.
The system was evaluated using a large set of real-world event traces collected on live corporate workstations as well as raw API call traces created in a dedicated malware analysis environment. While applicable to both scenarios, the introduced solution performed best for our abstracted kernel events, generating both new insight into malware-system interaction and assisting with the scoring of hitherto unknown application behavior.
Robert Luh, Sebastian Schrittwieser, Stefan Marschalek, Helge Janicke. Design of an Anomaly-based Threat Detection & Explication System. Proceedings of the 3rd International Conference on Information Systems Security and Privacy (ICISSP), 2017
Current signature-based malware detection systems are heavily reliant on fixed patterns that struggle with unknown or evasive applications, while behavior-based solutions usually leave most of the interpretative work to a human analyst. In this paper, we propose a system able to explain anomalous behavior within a user session by considering anomalies identified through their deviation from a set of baseline process graphs. To minimize computational requirements we adapt star structures, a bipartite representation used to approximate the edit distance between two graphs. Baseline templates are generated automatically and adapt to the nature of the respective process. We prototypically implement smart anomaly explication through a number of competency questions derived and evaluated using the decision tree algorithm. The determined key factors are ultimately mapped to a dedicated APT attack stage ontology that considers actions, actors, as well as target assets.
Robert Luh, Gregor Schramm, Markus Wagner and Sebastian Schrittwieser, “Sequitur-based inference and analysis framework for malicious system behavior”, 1st International Workshop on FORmal methods for Security Engineering (ForSE)
Targeted attacks on IT systems are a rising threat against the confidentiality of sensitive data and the availability of critical systems. With the emergence of Advanced Persistent Threats (APTs), it has become more important than ever to fully understand the particulars of such attacks. Grammar inference offers a powerful foundation for the automated extraction of behavioral patterns from sequential system traces.
In order to facilitate the interpretation and analysis of APTs, we present a grammar inference system based on Sequitur, a greedy compression algorithm that constructs a context-free grammar (CFG) from string-based input data. Next to recursive rule extraction, we expanded the procedure through automated assessment routines capable of dealing with multiple input sources and types. This enables the identification of relevant patterns in sequential corpora of arbitrary quantity and size. On the formal side, we extended the CFG with attributes that help depict the extracted (malicious) actions in a comprehensive fashion. The tool’s output is automatically mapped to the grammar for further parsing and discovery-focused pattern visualization.
Julian Rauchberger, Robert Luh, Sebastian Schrittwieser. Longkit – A UEFI/BIOS Rootkit in the System Management Mode. ICISSP 2017
The theoretical threat of malware inside the BIOS or UEFI of a computer has been known for almost a decade. It has been demonstrated multiple times that exploiting the System Management Mode (SMM), an operating mode implemented in the x86 architecture and executed with high privileges, is an extremely powerful method for implanting persistent malware on computer systems. However, previous BIOS/UEFI malware concepts described in the literature often focused on proof-of-concept implementations and did not have the goal of demonstrating the full range of threats stemming from SMM malware. In this paper, we present Longkit, a novel framework for BIOS/UEFI malware in the SMM. Longkit is universal in nature, meaning it is fully written in position-independent assembly and thus also runs on other BIOS/UEFI implementations with minimal modifications. The framework fully supports the 64-bit Intel architecture and is memory-layout aware, enabling targeted interaction with the operating system’s kernel. With Longkit we are able to demonstrate the full potential of malicious code in the SMM and provide researchers of novel SMM malware detection strategies with an easily adaptable rootkit to help evaluate their methods.
Her Majesty’s Ambassador to the Republic of Austria and UK Permanent Representative to the United Nations Leigh Turner visited the St. Poelten University of Applied Sciences. Robert Luh, researcher at the JRC TARGET and external PhD student at De Montfort University in Leicester (UK) talked about our research at TARGET.
Sebastian Schrittwieser and Julian Rauchberger presented our work on System Management Mode malware at DeepSec 2016.
Title: Advanced Concepts for SMM Malware
Abstract: Hiding malware inside the BIOS/UEFI of a computer has long been deemed a theoretical threat rather than an actual attack vector. Implementation seemed too difficult and the benefits for malicious actors aiming for quick profits were considered negligible. However, with the recent rise of Advanced Persistent Threats (APTs) and state-sponsored attacks, sophisticated targeted attacks are now considered a realistic threat. For skilled attackers seeking for high stealth and persistence rather than widespread infection, the BIOS/UEFI of a computer provides an ideal target. The System Management Mode (SMM) is a legacy mode of operation available in x86 and x86-64 CPUs. Originally, SMM was intended to be used for maintenance tasks such as power and thermal management. It is a highly privileged mode of operation which has free I/O access, can directly interact with memory and has no hardware memory protections enabled.
Our talk starts with a historical overview on previous SMM-based attacks. Most existing approaches are simple proof-of-concept implementations that do not explore the potential of threats stemming from SMM malware. In response to this deficit we present novel, advanced concepts for SMM malware, focussing on stealth, portability (including full Intel 64-bit support), and OS (memory layout) awareness of malware. Our talk aims at encouraging further research into the threat of SMM malware and enables the development of practical countermeasures against BIOS/UEFI malware.
Robert Luh and Martin Pirker presented our research at ITSeCX 2016.
Title: Love and Hate – Sentiment Analysis for Unkown Applications
Abstract: Sentiment analysis is commonly used to determine emotions in written statements by evaluating significant terms in a corpus of text. In our research, we use an adapted approach to classify applications by their runtime behavior. The result is a „dictionary“ of system events that, akin to natural language, specify whether an entity is expressing malicious or benign tendencies. This talk will introduce the sentiment concept and demonstrate how such dictionaries can be used to score unknown computer programs.
Title (german): Sicherheit und ihre Zustände
Abstract (german): Jeder benutzt Computer, ohne sie ist das moderne Leben nur mehr schwer vorstellbar. Allerdings, kann man Computern vertrauen, dass sie ihre Aufgabe(n) zuverlässig erledigen? Wie kann man den aktuellen Sicherheitszustand von einem PC feststellen? Wie detailliert geht das überhaupt? Dieser Vortrag beschäftigt sich mit dem Kernproblem „Trust in Computing“ und spannt die Brücke zur aktuellen Forschungsarbeit im JRZ TARGET.
Robert Luh, Sebastian Schrittwieser and Stefan Marschalek. TAON: An ontology-based approach to mitigating targeted attacks
Targeted attacks on IT systems are a rising threat against the confidentiality of sensitive data and the availability of systems and infrastructures. Planning for the eventuality of a data breach or sabotage attack has become an increasingly difficult task with the emergence of advanced persistent threats (APTs), a class of highly sophisticated cyber-attacks that are nigh impossible to detect using conventional signature-based systems.
Understanding, interpreting, and correlating the particulars of such advanced targeted attacks is a major research challenge that needs to be tackled before behavior-based approaches can evolve from their current state to truly semantics-aware solutions. Ontologies o er a versatile foundation well suited for depicting the complex connections between such behavioral data and the diverse technical and organizational properties of an IT system.
In order to facilitate the development of novel behavior-based detection systems, we present TAON, an OWL-based ontology offering a holistic view on actors, assets, and threat details, which are mapped to individual abstracted events and anomalies that can be detected by today’s monitoring data providers. TOAN offers a straightforward means to plan an organization’s defense against APTs and helps to understand how, why, and by whom certain resources are targeted. Populated by concrete data, the proposed ontology becomes a smart correlation framework able to combine several data sources into a semantic assessment of any targeted attack.
The ERCIM News No.107 has been published at http://ercim-news.ercim.eu/en107/
We contributed to the article Privacy Aware Machine Learning and the “Right to be forgotten” by Bernd Malle, Peter Kieseberg, Sebastian Schrittwieser, and Andreas Holzinger.
Peter Kieseberg, Sebastian Schrittwieser, Edgar Weippl, Andreas Holzinger. Testing Algorithms in Sensitive Data Driven Research. 14. Anwenderkonferenz (ASQT 2016) Softwarequalität, Test und Innovation.
Martin Pirker and Andreas Nusser. Assessment of Server State via Inter-Clone Differences.
Damjan Buhov, Richard Thron, Sebastian Schrittwieser. Catch Me If You Can! Transparent Detection Of Shellcode.
The ERCIM News No. 105 has been published at http://ercim-news.ercim.eu/en105/
We contributed to the article “Detection of Data Leaks in Collaborative Data Driven Research” by Peter Kieseberg, Edgar Weippl and Sebastian Schrittwieser.
Robert Luh, Stefan Marschalek, Manfred Kaiser, Helge Janicke, Sebastian Schrittwieser. Semantics-aware detection of targeted attacks – A survey. Journal of Computer Virology and Hacking Techniques, Springer. Accepted for publication 2016.
Abstract: In today’s interconnected digital world, targeted attacks have become a serious threat to conventional computer systems and critical infrastructure alike. Many researchers contribute to the fight against network intrusions or malicious software by proposing novel detection systems or analysis methods. However, few of these solutions have a particular focus on Advanced Persistent Threats (APTs) or similarly sophisticated multi-stage attacks. This turns finding domain-appropriate methodologies or developing new approaches into a major research challenge.
To overcome these obstacles, we present a structured review of semantics-aware works that have a high potential for contributing to the analysis or detection of targeted attacks. We introduce a detailed literature evaluation schema in addition to a highly granular model for article categorization. Out of 123 identified papers, 60 were found to be relevant in the context of this study. The selected articles are comprehensively reviewed and assessed in accordance to Kitchenham’s guidelines for systematic literature reviews.
In conclusion, we combine new insights and the status quo of current research into the concept of an ideal systemic approach capable of semantically processing and evaluating information from different observation points.
Sebastian Schrittwieser hosts the CMG-AE Symposium “Cyber-Abwehr in der Praxis – Wie sichere ich sensible Systeme ab?” on April 19th, 2016 (10am – 2pm) at St. Pölten University of Applied Sciences.
German Abstract: Sensible IT-Systemen sind einerseits EDV-Systeme mit entscheidendem Einfluss auf den Geschäftsgang von Anwendern und sind andererseits über das Vorhandensein sie betreffender spezifischer Datenschutzregelungen definiert (Fertigungssteuerungen, Kundendatenverwaltung, …). Ihre Robustheit gegen Cyberangriffe ist durch Entwicklung neuartiger Angriffsszenarien in Gefahr.
Bei der Tagung wollen wir Strategien und Technologien zur Abwehr von Angriffen auf sensible IT-Systeme vorstellen und mit Ihnen diskutieren. Besonderes Augenmerk wollen wir diesmal auf Social Engineering im Zusammenhang mit sensiblen IT-Systemen legen.
Registration: [email protected]
Sebastian Schrittwieser, Stefan Katzenbeisser, Johannes Kinder, Georg Merzdovnik, Edgar Weippl. Protecting Software through Obfuscation: Can It Keep Pace with Progress in Code Analysis? Accepted for publication in ACM Computing Surveys. 2016
Abstract: Software obfuscation has always been a highly controversially discussed research area. While theoretical results indicate that provably secure obfuscation in general is impossible, its widespread application in malware and commercial software shows that it is nevertheless popular in practice. Still, it remains largely unexplored to what extent todays software obfuscations keep up with state-of-the-art code analysis, and where we stand in the arms race between software developers and code analysts. The main goal of this survey is to analyze the effectiveness of different classes of software obfuscation against the continuously improving de-obfuscation techniques and off-the-shelf code analysis tools. The answer very much depends on the goals of the analyst and the available resources. On the one hand, many forms of lightweight static analysis have difficulties with even basic obfuscation schemes, which explains the unbroken popularity of obfuscation among malware writers. On the other hand, more expensive analysis techniques, in particular when used interactively by a human analyst, can easily defeat many obfuscations. As a result, software obfuscation for the purpose of intellectual property protection remains highly challenging.
The 1st International Workshop on Targeted Attacks and Mitigation Strategies is going to be held in conjunction with the 11th International Conference on Availability, Reliability and Security (August 31 – September 2, 2016) in Salzburg, Austria.
The workshop aims at bringing together experts from academia and industry to share their research, ideas, knowledge and experience in the analysis and mitigation of targeted attacks.
Call for Papers – Topics of interest comprise but are not limited to:
- Threats and Attack Modeling
- Malware detection and analysis
- Intrusion Detection
- Incident Response and Prevention
- Privacy Enhancing Technologies
- Safety Critical Systems
Submission Deadline: April 18, 2016
The submission guidelines valid for the workshop are the same as for the ARES conference. They can be found here.