Cyberattacks have grown into a major risk for organizations, with common consequences being data theft, sabotage, and extortion. Since preventive measures do not suffice to repel attacks, timely detection of successful intruders is crucial to stop them from reaching their final goals. For this purpose, many organizations utilize Security Information and Event Management (SIEM) systems to centrally collect security-related events and scan them for attack indicators using expert-written detection rules. However, as we show by analyzing a set of widespread SIEM detection rules, adversaries can evade almost half of them easily, allowing them to perform common malicious actions within an enterprise network without being detected. To remedy these critical detection blind spots, we propose the idea of adaptive misuse detection, which utilizes machine learning to compare incoming events to SIEM rules on the one hand and known-benign events on the other hand to discover successful evasions. Based on this idea, we present AMIDES, an open-source proof-of-concept adaptive misuse detection system. Using four weeks of SIEM events from a large enterprise network and more than 500 hand-crafted evasions, we show that AMIDES successfully detects a majority of these evasions without any false alerts. In addition, AMIDES eases alert analysis by assessing which rules were evaded. Its computational efficiency qualifies AMIDES for real-world operation and hence enables organizations to significantly reduce detection blind spots with moderate effort.

翻译：网络攻击已成为组织面临的重大风险，常见后果包括数据窃取、破坏和勒索。由于预防措施不足以抵御攻击，及时发现成功的入侵者对于阻止其达成最终目标至关重要。为此，许多组织使用安全信息与事件管理（SIEM）系统集中收集安全相关事件，并利用专家编写的检测规则扫描攻击指标。然而，通过分析一组广泛使用的SIEM检测规则，我们发现攻击者可以轻松规避其中近半数规则，使其能够在企业网络中执行常见恶意行为而不被检测到。为弥补这些关键检测盲区，我们提出自适应误用检测的思想，利用机器学习将传入事件与SIEM规则以及已知良性事件进行对比，以发现成功的规避行为。基于此思想，我们提出AMIDES，一个开源的原理性自适应误用检测系统。利用来自大型企业网络四周的SIEM事件及500多个手工构建的规避行为，我们证明AMIDES能够成功检测大多数规避行为且无任何误报。此外，AMIDES通过评估哪些规则被规避，简化了警报分析。其计算效率使其适合实际运行，从而帮助组织以适度努力显著减少检测盲区。