Real Time Multistage Attack Detection Leveraging Machine Learning and MITRE Framework

Abstract

Organizations regardless of their size are rapidly transforming, adopting and embracing digitalization amid the COVID pandemic. The pandemic forced organizations to ratio- nalize offline operations and swift towards online operations. Many organizations have digitized their services and have witnessed increasing Multistage cyber-attacks. Further, a lot of organizations have enabled remote access to the enterprise resources and services. As a result, organizations are striving to defend against Multistage cyber-attacks. These multistage attacks often spread across many stages, which is best described by MITRE Adversarial Tactics, Techniques, and Common Knowl- edge (ATT&CK) Framework. There are many research efforts for static detection of malicious binaries but very few or limited research targeting run-time detection of malicious processes in the system. Detection of these malicious processes are key for identifying new variants of multistage attacks or malware in the real world. This paper proposes a system for detecting multistage attacks in real-time or run-time by leveraging Machine learning and MITRE ATT&CK Framework. Machine learning facilitates detecting the malicious process in the system, and the MITRE ATT&CK framework offers insight into adversary techniques. Combination of these two is very effective in detecting multistage attacks and identifying individual stages. The proposed system shows promising results when tested on real-time/latest malware. Test result shows that our system can achieve 95.83% of accuracy. This paper discusses the challenges in detection of runtime malware, dataset generation