When it comes to malware attacks, one of the more common techniques is “living off the land.” Attackers utilize standard programs/processes to execute these attacks, blending into an existing environment to avoid detection. ProblemChild aims to help detect these types of attacks by identifying rare parent-child process chains and suppressing commonly occurring ones since rarely spawned processes in an environment (and more so from a specific parent process) could indicate malicious activity. The ProblemChild framework identifies these anomalous chains by leveraging multiple Machine Learning capabilities in the Elastic Stack to produce an anomaly score for each process event chain. We derive the anomaly score by optimizing two components: maliciousness and prevalence. We first utilize the Stack Data Frame Analytics module to train a supervised model on process event data to classify events as malicious or benign. Processes marked malicious by the supervised model are then polled using the Stack’s Anomaly Detection module to determine the “rarest malicious processes” in the environment. Flagging rare malicious processes helps security/malware analysts prioritize events for analysis.
Please view the slide deck here: https://ela.st/problemchild-slidedeck
Data Scientist II
Security Data Scientist
Area Lead, Detection Science
Apoorva is currently a Senior Data Scientist on the Security Protections team at Elastic where she works on incorporating machine learning and statistical models into Elastic's SIEM product. Prior to Elastic, she was a Research Scientist at FireEye. Apart from her job as a researcher, Apoorva is actively involved with organizations that champion the cause of bringing and retaining a diverse workforce in tech.