ProblemChild: Discovering Anomalous Patterns based on Parent-Child Process Relationships

TL;DR

ProblemChild is a graph-based framework that leverages parent-child process relationships and machine learning to detect complex, multi-stage attacks, reducing false positives and aiding analysts in identifying sophisticated adversary techniques.

Contribution

It introduces a novel supervised learning approach combined with community detection on process graphs to identify anomalous attack sequences based on parent-child relationships.

Findings

Successfully identified anomalous process chains in APT3 attack emulation.

Reduced false positives compared to traditional heuristic methods.

Enhanced detection of multi-stage, sophisticated attack techniques.

Abstract

It is becoming more common that adversary attacks consist of more than a standalone executable or script. Often, evidence of an attack includes conspicuous process heritage that may be ignored by traditional static machine learning models. Advanced attacker techniques, like "living off the land" that appear normal in isolation become more suspicious when observed in a parent-child context. The context derived from parent-child process chains can help identify and group malware families, as well as discover novel attacker techniques. Adversaries chain these techniques to achieve persistence, bypass defenses, and execute actions. Traditional heuristic-based detections often generate noise or disparate events that belong to what constitutes a single attack. ProblemChild is a graph-based framework designed to address these issues. ProblemChild applies a supervised learning classifier to derive a weighted graph used to identify communities of seemingly disparate events into larger attack sequences. ProblemChild applies conditional probability to automatically rank anomalous communities as well as suppress commonly occurring parent-child chains. In combination, this framework can be used by analysts to aid in the crafting or tuning of detectors and reduce false-positives over time. We evaluate ProblemChild against the 2018 MITRE ATT&CK(TM) emulation of APT3 attack to demonstrate its promise in identifying anomalous parent-child process chains.