SEQUIN: a grammar inference framework for analyzing malicious system behavior
Targeted attacks on IT systems are a rising threat to the confidentiality of sensitive data and the availability of critical systems. The emergence of Advanced Persistent Threats (APTs) made it paramount to fully understand the particulars of such attacks in order to improve or devise effective defense mechanisms. Grammar inference paired with visual analytics (VA) techniques offers a powerful foundation for the automated extraction of behavioral patterns from sequential event traces. To facilitate the interpretation and analysis of APTs, we present SEQUIN, a grammar inference system based on the Sequitur compression algorithm that constructs a context-free grammar (CFG) from string-based input data. In addition to recursive rule extraction, we expanded the procedure through automated assessment routines capable of dealing with multiple input sources and types. This automated assessment enables the accurate identification of interesting frequent or anomalous patterns in sequential corpora of arbitrary quantity and origin. On the formal side, we extended the CFG with attributes that help describe the extracted (malicious) actions. Discovery-focused pattern visualization of the output is provided by our dedicated KAMAS VA prototype.
Open access article
Citation : Luh, R., Schramm, G., Wagner, M., Janicke, H. and Schrittwieser, R. (2018) Sequin: a grammar inference frame- work for analyzing malicious system behavior. Journal of Computer Virology and Hacking Techniques, pp1-21.
ISSN : 2263-8733
Research Group : Cyber Technology Institute (CTI)
Research Institute : Cyber Technology Institute (CTI)
Peer Reviewed : Yes