EP-4022476-B1 - CONTEXT INFORMED ABNORMAL ENDPOINT BEHAVIOR DETECTION

Inventors

• MEIR, SHAI
• COHEN, Dany
• MIASNIKOV, Arkady
• OHAYON, Ohad

Dates

Publication Date

20260513

Application Date

20200828

Claims (12)

1. A method comprising: determining (701), from event information, a first process identifier of a first process and an endpoint identifier of a first endpoint; identifying(702) a set of one or more process profiles from a plurality of process profiles based, at least in part, on the first process identifier and the endpoint identifier, wherein the set of process profiles indicates process activity of the first process determined to be statistically normal with respect to process activity of the first process on a plurality of endpoints within at least one scope that includes the first endpoint, wherein each profile includes an entry that indicates a combination of an activity type indicated in the event information and a first file path; normalizing a second file path indicated in the event information, wherein normalizing the second file path comprises: identifying, from a first set of file path elements in the second file path indicated in the event information, a set of common file path elements associated with a first set of standard file path elements; replacing the set of common file path elements in the first path with the first set of standard file path elements; identifying a type of file path associated with the second file path; identifying a set of randomized file path elements from the set of file path elements; replacing the set of randomized file path elements with a second set of standard file path elements; and synthesizing the first set of standard file path elements, the second set of standard file path elements, and the type of file path; evaluating (707) the event information against the set of process profiles to determine whether the event information conforms to at least a first of the set of process profiles, wherein evaluating the event information against the set of process profiles comprises determining whether a first of the set of process profiles includes an entry that indicates a combination of an activity type indicated in the event information and wherein the first file path included in the entry at least partially matches the second file path; and based on a determination that the event information does not conform to at least a first of the set of process profiles, indicating (715) that the event information corresponds to an abnormality for the first process.
2. The method of claim 1, further comprising detecting the event information from monitoring the first process on the first endpoint.
3. The method of any of the preceding claims, further comprising determining the event information from an alarm and marking the alarm as a false positive based on a determination that the event information at least conforms to a first of the set of process profiles.
4. The method of any of the preceding claims, wherein identifying the set of process profiles from the plurality of process profiles comprises identifying at least one process profile having a scope encompassing more than one endpoint.
5. The method of claim 1, wherein identifying the set of randomized file path elements comprises: for each file path element in the second file path, determining a likelihood that the file path element is randomized based, at least in part, on a statistical model; and based on the likelihood being above a threshold likelihood, adding the file path element to the set of randomized file path elements.
6. The method of any of claims 1-5, further comprising: based on a determination that the event information does not conform to at least a first of the set of process profiles, determining a causality graph corresponding to the first process, wherein the causality graph is a directed graph comprising a plurality of nodes corresponding to processes and wherein a directed edge between nodes corresponds to a process initiating another process; and inputting the causality graph or data generated from the causality graph into a trained detection model to determine likelihood that the causality graph corresponds to a threat or attack.
7. The method of claim 6, wherein determining the causality graph corresponding to the first process comprises determining at least one of a set of processes and a set of events that both directly and indirectly relate to the first process.
8. A non-transitory, computer-readable medium having program code stored thereon the program code comprising instructions to perform any of the methods according to the previous claims.
9. An apparatus comprising: a processor; and a machine-readable medium having instructions stored thereon that are executable by the processor to cause the apparatus to perform the method in accordance with any of claims 1 - 7.
10. The apparatus in accordance with claim 9, wherein performing the method in accordance with any of claims 1 - 7 comprises: determine a plurality of processes that do not conform to a plurality of process profiles corresponding to the plurality of processes, by performing the method in accordance with any of claim 1 - 7 for each process in the plurality of processes; and, wherein the machine-readable medium further has stored thereon instructions executable by the processor to cause the apparatus to: identify a serialized plurality of processes from the plurality of processes based, at least in part, on an abnormal causality chain of processes indicated in event information for the plurality of processes; determine, based on inputting an indication of the serialized plurality of processes into a trained detection model, a likelihood that activity of the serialized plurality of processes is abnormal; and based on the likelihood being higher than a threshold likelihood, indicate a malicious attack corresponding to the serialized plurality of processes.
11. The apparatus of claim 10, wherein the machine-readable medium further has stored thereon instructions executable by the processor to cause the apparatus to: identify a set of one or more causality chains of processes indicated in the event information based, at least in part, on the plurality of processes and a causality graph corresponding to the plurality of processes, wherein the causality graph is a directed graph comprises a plurality of nodes corresponding to processes and wherein a directed edge between nodes corresponds to a process initiating another process; and determine the abnormal causality chain of processes based, at least in part, on statistics from event information corresponding to causality chains for the plurality of processes.
12. The apparatus of claim 11, wherein the machine-readable medium further has stored thereon instructions executable by the processor to cause the apparatus to generate the causality graph corresponding to the plurality of processes based, at least in part, on a determination that event information for a first process in the plurality of processes and event information for a second process in the plurality of processes are directly or indirectly related.

Description

BACKGROUND The disclosure generally relates to the field of information security, and to modeling, design, simulation, or emulation. In the context of monitoring a device or network of endpoint devices (hereinafter "endpoints"), malicious entities will exploit vulnerabilities in common system processes to deliver one or more stages of an attack. Examples of known attacks that exploit processes running in an operating system (OS) include process hollowing, doppelganger attacks, code injection, and using known process names. Often the attack can exploit a zero-day vulnerability, meaning that the network of endpoints is oblivious to the vulnerability being exploited while the attack is carried out. BRIEF DESCRIPTION OF THE DRAWINGS Embodiments of the disclosure may be better understood by referencing the accompanying drawings. Figure 1 is a conceptual diagram of a profile generator generating adaptive normal profiles.Figure 2 depicts an example adaptive normal profile.Figure 3 is a conceptual diagram of deployment of a malicious behavior detection system.Figure 4 is a flowchart of example operations for filtering and storing event data using a bucketed event database.Figure 5 is a flowchart of example operations for generating an adaptive normal profile.Figure 6 is a flowchart of example operations for detecting abnormal process activity with adaptive normal profiles.Figure 7 depicts a flowchart of example operations for filtering alarms with adaptive normal process profiles.Figure 8 is a flowchart of example operations for identifying causality chains in event dataFigure 9 is a flowchart of example operations for detecting malicious attack chains.Figure 10 depicts an example computer with an adaptive normal profile generator and an adaptive normal profile guided security monitor. DESCRIPTION The description that follows includes example systems, methods, techniques, and program flows that embody embodiments of the disclosure. However, it is understood that this disclosure may be practiced without these specific details. For instance, this disclosure refers to systems for endpoint security in illustrative examples. Aspects of this disclosure can be instead applied to cloud security, behavioral analytics, security information and event managements, Internet of Things (IoT) security and other types of network security. In other instances, well-known instruction instances, protocols, structures and techniques have not been shown in detail in order not to obfuscate the description. Overview In the context of monitoring a network of endpoints in order to detect possible malicious behavior/attacks that exploit network vulnerabilities, it can be difficult to accurately identify threats without knowing the type or source of the attack (e.g., if the attacker uses a zero-day vulnerability). Any given process running on an endpoint in the network can generate thousands or millions of events that could potentially indicate an attack. Moreover, an event indicating abnormal behavior for an endpoint in one context could be a normal event for a similar endpoint in a different context. Generic threat detection methods suffer from an overabundance of false positives - events identified as malicious that are not malicious for a given endpoint. A security framework has been developed that can consume a high volume of events from numerous devices and process the events to generate profiles that capture "normal" behavior despite the meaning of "normal" being adapted to a specific context, while increasing accuracy in flagging abnormal process behavior. The security framework includes a component, which is referred to herein as a profile generator, that creates this "adaptive normal profile" based on behavior/activity at different scopes - individual endpoint scope and at least one scope encompassing more than one endpoint. This adaptive normal profile is generated and maintained based on common events observed at the endpoints running the process. To account for the variability of normal in the profiles, event data is filtered and aggregated in several steps starting with agents deployed on the endpoints themselves ("endpoint agents") filtering and then aggregating the event data from a single endpoint. The endpoint agents forward the filtered and aggregated event data to a database. This filtered and aggregated event data can be further filtered by importance qualifiers depending on the significance of the relevant processes and endpoints (e.g., is the process indicated as high value, is the device deployed in a high security environment). The filtered and aggregated event data is normalized by an event normalizer. The event normalizer converts the event data into a standardized, bucketed format that groups events from distinct endpoints into the same bucket if they are functionally similar or identical (e.g., if the events correspond to the same process running on distinct endpoints). Using the bucketed events, adaptive normal pr