Securing endpoints is challenging due to the evolving nature of threats and attacks. With endpoint logging systems becoming mature, provenance-graph representations enable the creation of sophisticated behavior rules. However, adapting to the pace of emerging attacks is not scalable with rules. This led to the development of ML models capable of learning from endpoint logs. However, there are still open challenges: i) malicious patterns of malware are spread across long sequences of events, and ii) ML classification results are not interpretable. To address these issues, we develop and present EagleEye, a novel system that i) uses rich features from provenance graphs for behavior event representation, including command-line embeddings, ii) extracts long sequences of events and learns event embeddings, and iii) trains a lightweight Transformer model to classify behavior sequences as malicious or not. We evaluate and compare EagleEye against state-of-the-art baselines on two datasets, namely a new real-world dataset from a corporate environment, and the public DARPA dataset. On the DARPA dataset, at a false-positive rate of 1%, EagleEye detects $\approx$89% of all malicious behavior, outperforming two state-of-the-art solutions by an absolute margin of 38.5%. Furthermore, we show that the Transformer's attention mechanism can be leveraged to highlight the most suspicious events in a long sequence, thereby providing interpretation of malware alerts.
翻译:由于威胁和攻击的不断演变,端点安全防护面临严峻挑战。随着端点日志系统的日趋成熟,溯源图表示使得创建复杂行为规则成为可能。然而,依靠规则适应新兴攻击的速度难以扩展,这推动了能够从端点日志中学习的机器学习模型的发展。但当前仍存在以下挑战:i) 恶意软件的攻击模式分散在长事件序列中;ii) 机器学习分类结果缺乏可解释性。为解决这些问题,我们设计并提出了鹰眼系统,这一新颖系统具备以下特性:i) 利用溯源图中的丰富特征(包括命令行嵌入)进行行为事件表示;ii) 提取长事件序列并学习事件嵌入表示;iii) 训练轻量级Transformer模型以判别行为序列是否恶意。我们在两个数据集上对鹰眼系统进行了评估与对比:一个来自企业环境的真实世界新数据集,以及公开的DARPA数据集。在DARPA数据集上,当误报率为1%时,鹰眼系统能检测约89%的恶意行为,以38.5%的绝对优势超越两种前沿解决方案。此外,我们证明Transformer的注意力机制可用于高亮长序列中最可疑的事件,从而为恶意软件告警提供可解释性依据。