ProblemChild in the Stack

United States and Canada Virtual

Mar 18, 2021, 7:00 – 8:00 PM


Learn how to apply machine learning to security data in the Elastic Stack with ProblemChild, a framework which flags rare malicious processes to help security/malware analysts prioritize events for analysis.

About this event

When it comes to malware attacks, one of the more common techniques is “living off the land.” Attackers utilize standard programs/processes to execute these attacks, blending into an existing environment to avoid detection. ProblemChild aims to help detect these types of attacks by identifying rare parent-child process chains and suppressing commonly occurring ones since rarely spawned processes in an environment (and more so from a specific parent process) could indicate malicious activity. The ProblemChild framework identifies these anomalous chains by leveraging multiple Machine Learning capabilities in the Elastic Stack to produce an anomaly score for each process event chain. We derive the anomaly score by optimizing two components: maliciousness and prevalence. We first utilize the Stack Data Frame Analytics module to train a supervised model on process event data to classify events as malicious or benign. Processes marked malicious by the supervised model are then polled using the Stack’s Anomaly Detection module to determine the “rarest malicious processes” in the environment. Flagging rare malicious processes helps security/malware analysts prioritize events for analysis.

Please view the slide deck here:



Thursday, March 18, 2021
7:00 PM – 8:00 PM UTC


  • Apoorva Joshi


    Senior Security Data Scientist - Security Protections Team

  • Disha Dasgupta


    Security Data Scientist

  • Craig Chamberlain


    Area Lead, Detection Science


  • Olivia Petrie


Contact Us