Bobby Filar
Endgame
and
David French
Threat Punter
ProblemChild: Discovering Anomalous Patterns based on Parent-Child Process Relationships (slides, video)
It is becoming more common that malware attacks are not just a standalone executable or script. These attacks often have conspicuous process heritage that is ignored by machine learning models that rely solely on static features (e.g. PE header metadata) to make a decision. Advanced attacker techniques, like “living off the land,” that appear normal in isolation become more suspicious when observed in a parent-child context. The context derived from parent-child process chains can help identify and group malware families, as well as discover novel attacker techniques. These techniques can be chained to perform persistence, defense bypasses and execution actions. In response, security vendors commonly write heuristics, commonly referred to as analytics to identify these events.
We present ProblemChild, a graph-based framework designed to discover malicious software based on process relationships. ProblemChild applies machine learning to derive a weighted graph used to identify communities of seemingly disparate events into larger attack sequences. Additionally, ProblemChild uses the conditional probability P( child | parent ) to automatically uncover rare or common process-level events that can be used to elevate or suppress anomalous communities. We will show how ProblemChild performed against a replay of the 2018 Mitre ATT&CK evaluation (APT3) and highlight detections (and FPs) that were observed during the evaluation.