异常检测背叛了我们所以我们赋予了它一项新任务：利用良性异常数据增强命令行分类.pdf

《异常检测背叛了我们所以我们赋予了它一项新任务：利用良性异常数据增强命令行分类.pdf》由会员分享，可在线阅读，更多相关《异常检测背叛了我们所以我们赋予了它一项新任务：利用良性异常数据增强命令行分类.pdf（51页珍藏版）》请在三个皮匠报告上搜索。

1、#BHUSA BlackHatEventsAnomaly Detection Betrayed Us,so We Gave It a New Job:Anomaly Detection Betrayed Us,so We Gave It a New Job:Enhancing Command Line Classification with Benign Enhancing Command Line Classification with Benign Anomalous DataAnomalous DataBen Gelman,Sean BergeronIntroduction2About

2、Me-BenData Scientist at Sophos for 4 years35 years in government-funded R&D2 years of post-grad research at academic institutionsAbout Me-SeanDeep personality estimation post-grad research4Data Scientist at Sophos for 3 yearsMechanical engineerWhat Are We Talking About?5How did this happen?6Command

3、linesUnsustainable Manual Effort7The Perfect,Fully-Automated,Self-Updating System for Command Line Prediction,Featuring LLMs8Not Really:Anomaly Detection Betrayed Us9Malicious PrecisionBenign Precision36%100%Motivation10Unsupervised:The State of Anomaly DetectionNo labels requiredHigh scalabilityLow

4、 CostHigh false positive rates extreme alert fatigueReliance on human expertise11ProsConsThe State of Anomaly Detection12Feasible?FPR 2,2,Proportion of upper-case charactersProportion of lower-case charactersASCII per-character countsShannon entropy45Expert Features cont.Count of echomarkersCount of

5、 replace markersCount of#markersCount of markers:o -e,-ec,-enc,-encodedcommand,frombase64string(Count of markers:o,set,&,&for,for%,;Count of markers:o http,www.,.com,html,tcp,udpCount of markers:o lsass,samsrv,hklmsam,winlogon,netlogon,kerberos.dll,dump,.bin,ntdsTest for deliberate encoding and encr

6、yptionCheck for multiple valid file pathsCheck for remote executableCheck for exactly one hostname and local file path46Spark ML FeaturesNormalized tokenso WordPunct tokenize:w+|ws+o Replace numeric digits with*Normalized tokens-TF-IDFNormalized tokens-Compute most common 1024 to