Advertisement

Detecting Windows Based Exploit Chains by Means of Event Correlation and Process Monitoring

  • Muhammad Mudassar YamiunEmail author
  • Basel Katt
  • Vasileios Gkioulos
Conference paper
Part of the Lecture Notes in Networks and Systems book series (LNNS, volume 70)

Abstract

This article presents a novel algorithm for the detection of exploit chains in a Windows based environment. An exploit chain is a group of exploits that executes synchronously, in order to achieve the system exploitation. Unlike high-risk vulnerabilities that allow system exploitation using only one execution step, an exploit chain takes advantage of multiple medium and low risk vulnerabilities. These are grouped, in order to form a chain of exploits that when executed achieve the exploitation of the system. Experiments were performed to check the effectiveness of developed algorithm against multiple anti-virus/anti-malware solutions available in the market.

Keywords

Exploit chain Event correlation Process monitoring Windows Process correlation 

References

  1. 1.
    Pwn2own 2018: Day two results and master of Pwn. https://www.zerodayinitiative.com/blog/2018/3/15/pwn2own-2018-day-two-results-and-master-of-pwn. Accessed 17 May 2018
  2. 2.
    Srinivasan, D., Wang, Z., Jiang, X., Xu, D.: Process out-grafting: an efficient out-of-vm approach for fine-grained process execution monitoring. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 363–374. ACM (2011)Google Scholar
  3. 3.
    Mandal, D., Zhang, Y.: The Great Escapes of VMware: A Retrospective Case Study of VMware Guest-to-Host Escape Vulnerabilities. Blackhat, London (2017)Google Scholar
  4. 4.
  5. 5.
    Neumann, W.C., Corby, T.E., Epps, G.A.: System for secure computing using defense-in-depth architecture. U.S. Patent 7,428,754. Issued 23 Sept 2008Google Scholar
  6. 6.
    Win, T.Y., Tianfield, H., Mair, Q.: Big data based security analytics for protecting virtualized infrastructures in cloud computing. IEEE Trans. Big Data 4(1), 11–25 (2018)CrossRefGoogle Scholar
  7. 7.
    Wang, X., Qi, Y., Wang, Z., Chen, Y., Zhou, Y.: Design and implementation of SecPod, a framework for virtualization-based security systems. IEEE Trans. Dependable Secure Comput. (2017)Google Scholar
  8. 8.
    Ucci, D., Aniello, L., Baldoni, R.: Survey on the usage of machine learning techniques for malware analysis. arXiv preprint arXiv:1710.08189 (2017)
  9. 9.
    Hendler, D., Kels, S., Rubin, A.: Detecting malicious PowerShell commands using deep neural networks. arXiv preprint arXiv:1804.04177 (2018)
  10. 10.
    Dosfuscation: Exploring the depths of Cmd.exe obfuscation and detection techniquesGoogle Scholar
  11. 11.
    Research Report Released: Detecting lateral movement through tracking event logs (version 2). https://blog.jpcert.or.jp/2017/12/research-report-released-detecting-lateral-movement-through-tracking-event-logs-version-2.htm. Accessed 17 May 2018
  12. 12.
  13. 13.
    Server Virtualization and Os Trends. Spiceworks, Inc. https://community.spiceworks.com/networking/articles/2462-server-virtualization-and-os-trends. Accessed 24 May 2018
  14. 14.
    Virtual Machine Escape. https://en.wikipedia.org/wiki/Virtual_machine_escape. Accessed 17 May 2018
  15. 15.
  16. 16.
    4688(s): A new process has been created. (windows 10). Mir0sh. https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688. Accessed 19 May 2018. URL: https://www.blog.pythonlibrary.org/2010/07/27/pywin32-getting-windows-event-logs/. Website Title: The Mouse Vs The Python. Date Accessed 27 May 2018
  17. 17.
    Comsecuris/vgpu_shader_pocs Comsecuris. https://github.com/Comsecuris/vgpu_shader_pocs. Accessed 18 May 2018

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Muhammad Mudassar Yamiun
    • 1
    Email author
  • Basel Katt
    • 1
  • Vasileios Gkioulos
    • 1
  1. 1.Department of Information Security and Communication TechnologyNorwegian University of Science and TechnologyGjøvikNorway

Personalised recommendations