Enhancing cyber attack prevention and detection using application process tracing

Abstract

Nowadays, software enterprises are being targeted by more advanced cyber-security threat models. Consequently, more sophisticated means of protecting software organisa tions are in high demand. Also, microservices are trending for being amongst the most popular software application design architecture. The aim of this thesis is to explore how application process tracing can be applied to enhance cyber-attack prevention and detection. We propose two objectives for this research project. The first objective is to observe how the prediction of future events in an application thread can help identify potential targets and thus enable cyber-security personnel to take proactive defensive measures. This approach is valid for general business application processes. The second objective is to investigate how anomaly detection approaches can be applied to microservice application process tracing and detect seeded cyber-attacks. One approach for addressing the first objective is to employ a machine learning model to learn general business application processes and functionality to provide a contextual oversight of the process application’s infrastructure. This can be done by applying process mining to observe the execution paths of application processes. An alternative method is to employ a deep learning model to discover the contextual oversight of the application process. We trained a Long Short Term Memory (LSTM) model to learn the sequential dependencies for existing processes and subsequently made predictions in ongoing process instances with the aim of improving cyber situational awareness. For addressing our second objective, we considered microservice application process tracing. The functionality of a microservices application can be monitored and logged using distributed tracing. Anomaly detection is defined as the discovery of irregular instances or patterns within a data series. To detect cyber-attacks in a microservices application, frequency distribution-based anomaly detection was performed to identify irregular microservice application activity within a synthetic data set of traces. This machine learning model was tested by simulating a brute force password guessing attack against the application. To further address the second objective, the traffic of a microservices application can also be modelled using graph theory and anomaly detection techniques can also be applied to this model. In the last stage of our research, we trained a Diffusion Convolutional Recurrent Neural Network (DCRNN) using synthetic data sets of distributed traces to learn both the spatial and temporal dependencies of the data. Subsequently, we made predictions of microservice activity using traffic forecasting and applied threshold-based anomaly detection to detect injected cyber-security attacks. The different cyber-attacks emulated in the testing data to evaluate this model include a brute force attack, a batch registration of bot accounts and a distributed denial of service attack.