Abstract Host-based analytics are useful for identifying nefarious activity and limiting the impact of an adversary's cyber attack on an endpoint. The majority of open-source host-based analytics are heuristic in nature and often rely on matching combinations of strings to produce an alert. Recent threat reports demonstrate that threat actors are able to easily evade these types of analytics via variances in attack techniques, implementation differences, or simple string/parameter modifications. This work introduces a novel machine learning-based approach (procmonML) to generate true behavioral host-based analytics that are more resilient to adversary evasion, thus imparting more workload on the adversary to successfully evade detection. This is accomplished by consolidating multiple system events into a single process event. Analytics are generated from a tree ensemble model using labeled host data from a lab environment and are validated on production enterprise endpoints. This approach can detect multiple variations of a single attack technique by capturing and generalizing system behaviors. The results demonstrate that the procmonML approach is able to effectively generate host-based analytics that are applicable to new environments and more resilient to adversary evasion.

中文翻译：

---

procmonML：从 Tree Ensembles 生成 Evasion Resilient Host-Based Behavioral Analytics

摘要 基于主机的分析对于识别恶意活动和限制对手网络攻击对端点的影响非常有用。大多数基于开源主机的分析本质上都是启发式的，通常依赖于匹配的字符串组合来生成警报。最近的威胁报告表明，攻击者能够通过攻击技术的差异、实施差异或简单的字符串/参数修改轻松规避这些类型的分析。这项工作引入了一种新的基于机器学习的方法 (procmonML) 来生成真正的基于行为的基于主机的分析，这些分析对对手的规避更具弹性，从而为对手分配更多的工作量以成功规避检测。这是通过将多个系统事件合并为一个进程事件来实现的。分析是使用来自实验室环境的标记主机数据从树集成模型生成的，并在生产企业端点上进行验证。这种方法可以通过捕获和概括系统行为来检测单一攻击技术的多种变体。结果表明，procmonML 方法能够有效地生成适用于新环境且对对手规避更具弹性的基于主机的分析。