Stefan Marschalek, Robert Luh and Sebastian Schrittwieser. Endpoint data classification using Markov chains.
Behavior based analysis of software executed in a sandbox environment has become an established part of malware and APT detection. In this paper, we explore a unique approach to conduct such an analysis based on data generated by live corporate workstations.
We specifically collect high-level Windows events via a real-time kernel monitoring agent and build event propagation trees on top of it. Those trees are representative for the behavior exhibited by the programs running on the monitored machine. After a necessary discretization phase we use a moderately modified version of the Markov chain algorithm to create a distance matrix based on the discretized behavioral profiles. Distance based clustering is then applied to classify the processes in question.
We evaluated our approach on a goodware dataset collected on actively used workstations. Initial results show that the Markov approach can be used to reliably classify arbitrary processes and helps identify potentially harmful outliers.
Martin Valicek, Gregor Schramm, Martin Pirker and Sebastian Schrittwieser. Creation and Integration of Remote High Interaction Honeypots.
The internet connects an uncountable number of users and their devices, no one has a global overview anymore. This state of constant chaos poses the problem of detecting novel, previously unknown attacks and attackers, and therefore requires creative strategies to detect and study them as early as possible. One approach is the use of honeypots to bait attacks into separate, dedicated systems and study them there. This paper explores the construction of high-interaction honeypots based on Docker containers, both for Windows and Linux operating systems. A core challenge is the transparent integration of honeypots into an existing company’s network, although they are located off-site and not directly on a company’s premises. We report practical prototyping experiences with Linux and Windows as container hosts for a diverse set of services and the limits we encountered in current software versions as they impede our effort.