HESPIDS: A Hierarchical and Extensible System for Process Injection Detection using Sysmon
| dc.contributor.author | Thomas, Rodney | |
| dc.contributor.author | Steiner, Stuart | |
| dc.contributor.author | Conte De Leon, Daniel | |
| dc.date.accessioned | 2021-12-24T18:28:51Z | |
| dc.date.available | 2021-12-24T18:28:51Z | |
| dc.date.issued | 2022-01-04 | |
| dc.description.abstract | Advanced Persistent Threat (APT) actors are increasingly utilizing Living-off-the-Land (LotL) cyber attack techniques to avoid detection. LotL are techniques that abuse legitimate functionality to perform malicious cyber activities. A common LotL attack technique, that is currently very difficult to detect and prevent, is malicious process injection, MITRE ATT\&CK Process Injection ID: T1055. We report on the initial results for HESPIDS: A Hierarchical and Extensible System for Process Injection Detection using Sysmon. We developed a hierarchical graph-based detection approach for accurate and automated detection for five process injection techniques in Windows clients. These techniques include four of 11 T1055 sub-techniques: DLL Injection, PE Injection, APC Injection, Process Hollowing, and a T1056 sub-technique: API Hooking (T1056.004). Our novel detection approach exhibits, within the limitations of our small testing environment, very high sensitivity and specificity. HESPIDS demonstrates a promising avenue for development of automated detection of advanced cybersecurity threats. | |
| dc.format.extent | 10 pages | |
| dc.identifier.doi | 10.24251/HICSS.2022.905 | |
| dc.identifier.isbn | 978-0-9981331-5-7 | |
| dc.identifier.uri | http://hdl.handle.net/10125/80247 | |
| dc.language.iso | eng | |
| dc.relation.ispartof | Proceedings of the 55th Hawaii International Conference on System Sciences | |
| dc.rights | Attribution-NonCommercial-NoDerivatives 4.0 International | |
| dc.rights.uri | https://creativecommons.org/licenses/by-nc-nd/4.0/ | |
| dc.subject | Cyber Operations, Defence, and Forensics | |
| dc.subject | advanced persistant threats | |
| dc.subject | living off the land | |
| dc.subject | process injection | |
| dc.title | HESPIDS: A Hierarchical and Extensible System for Process Injection Detection using Sysmon | |
| dc.type.dcmi | text |
Files
Original bundle
1 - 1 of 1