Cyberattacks have grown into a major risk for organizations, with common consequences being data theft, sabotage, and extortion. Since preventive measures do not suffice to repel attacks, timely detection of successful intruders is crucial to stop them from reaching their final goals. For this purpose, many organizations utilize Security Information and Event Management (SIEM) systems to centrally collect security-related events and scan them for attack indicators using expert-written detection rules. However, as we show by analyzing a set of widespread SIEM detection rules, adversaries can evade almost half of them easily, allowing them to perform common malicious actions within an enterprise network without being detected. To remedy these critical detection blind spots, we propose the idea of adaptive misuse detection, which utilizes machine learning to compare incoming events to SIEM rules on the one hand and known-benign events on the other hand to discover successful evasions. Based on this idea, we present AMIDES, an open-source proof-of-concept adaptive misuse detection system. Using four weeks of SIEM events from a large enterprise network and more than 500 hand-crafted evasions, we show that AMIDES successfully detects a majority of these evasions without any false alerts. In addition, AMIDES eases alert analysis by assessing which rules were evaded. Its computational efficiency qualifies AMIDES for real-world operation and hence enables organizations to significantly reduce detection blind spots with moderate effort.

翻译：网络攻击已发展成组织面临的重大风险，常见后果包括数据窃取、破坏和勒索。由于预防措施不足以抵御攻击，及时检测成功的入侵者对于阻止其达成最终目标至关重要。为此，许多组织使用安全信息和事件管理（SIEM）系统集中收集安全相关事件，并利用专家编写的检测规则扫描攻击指标。然而，通过分析一组广泛使用的SIEM检测规则，我们发现攻击者可以轻易规避其中近一半的规则，从而在企业网络中执行常见恶意操作而不被发现。为弥补这些关键检测盲区，我们提出了自适应误用检测的概念，该概念利用机器学习将传入事件与SIEM规则进行对比，同时与已知良性事件进行比较，以发现成功的规避行为。基于这一概念，我们提出了AMIDES——一个开源的、概念验证的自适应误用检测系统。通过使用来自大型企业网络的四周SIEM事件以及超过500个精心构造的规避样本，我们证明AMIDES成功检测了大部分规避行为且未产生任何误报。此外，AMIDES通过评估被规避的规则简化了告警分析。其计算效率使其适用于实际运行，从而使组织能够以适中工作量显著减少检测盲区。