Threat Detection on Linux Systems Using OSquery

Open Access

Year : 2023 | Volume : | : | Page : –
By

Yogesh Chandrakant Jadhav

Vaibhav Kisan Kadam

Shubham Ramesh Kanase

Srijita Bhattacharjee

  1. Student Department of Computer Science and Engineering, Pillai HOC college of Engineering and Technology Rasayani, Maharashtra India
  2. Assistant Professor Department of Computer Science and Engineering, Pillai HOC College of Engineering and Technology Rasayani, Maharashtra India

Abstract

We have made an EDR tool for Linux Systems using Facebook open-source project OSquery. Making our own EDR tool rather than using a commercial EDR tool helps us gain knowledge about the platform and the security aspect of the platform and gives us the capabilities to detect and investigate security events. In our method, we are collecting the logs on the central server and then we are using these logs to generate the correlation between events which are happening on different Linux endpoints. These events are different events which are taking place in the Linux system like file events, socket events, process events, etc. These events are automatically detected and categorized into different attack vectors to remediate in future. Due to continuous monitoring, we get these events after a specific interval which makes the detection real-time. Users can provide on-the-fly configuration which makes the tool more responsive and accurate and does not collect the garbage data which are not required. We are also providing container security which is a new feature in the open-source tools. In our method, we have designed a system in such a way that we can scale the system and add a scalable amount of nodes in a single deployment.

Keywords: Endpoint detection and response, OSquery, Fleet server, Linux, malware

How to cite this article: Yogesh Chandrakant Jadhav, Vaibhav Kisan Kadam, Shubham Ramesh Kanase, Srijita Bhattacharjee. Threat Detection on Linux Systems Using OSquery. Journal of Advances in Shell Programming. 2023; ():-.
How to cite this URL: Yogesh Chandrakant Jadhav, Vaibhav Kisan Kadam, Shubham Ramesh Kanase, Srijita Bhattacharjee. Threat Detection on Linux Systems Using OSquery. Journal of Advances in Shell Programming. 2023; ():-. Available from: https://journals.stmjournals.com/joasp/article=2023/view=97397

Full Text PDF Download


References

1. Facebook. (2019). SQL powered operating system instrumentation, monitoring, and analytics. [Online]. Available from: https://github.com/osquery/osquery
2. Rapid7 Blog. (2019 Jul). Introduction to osquery for threat detection and DFIR. [Online]. Available from: https://www.rapid7.com/blog/post/2016/05/09/introduction-to-osquery-for-threatdetection-dfir/
3. MITRE. (2021) ATT&CK. [Online]. Available from: https://attack.mitre.org/
4. YARA. (2021). [Online]. Available from: https://yara.readthedocs.io/en/stable/
5. Oracle. (2019). Oracle Security Alert Advisory-CVE-2019-272. [Online]. Available from: https://www.oracle.com/security-alerts/alert-cve-2019-2725.html.
6. Reed T, Grenier M. (2017 Nov 2). Osquery—Windows, MacOS, Linux Monitoring and Intrusion Detection. [Online]. 7. Kieseberg P, Neuner S, Schrittwieser S, Schmiedecker M, Weippl E. Real-Time Forensics through Endpoint Visibility. In: Matoušek P, Schmiedecker M, editors. Digital Forensics and Cyber Crime. ICDF2C 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering. Cham: Springer; 2018; 216. https://doi. org/10.1007/978-3-319-73697-6_2
8. Hurless C. (2019 Sep 10). Exploring Osquery Fleet and Elastic Stack as an Open-source solution to Endpoint Detection and Response. [Online]. SANS Institute Reading Room site.
9. Yin H, Song D, Egele M, Kruegel C, Kirda E. October. Panorama: capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM conference on Computer and communications security. 2007; 116–127.
10. Gržinić T, González EB. Methods for automatic malware analysis and classification: a survey. Int J Inf Comput Secur. 2022; 17(1–2): 179–203.
11. Kazdagli M, Caramanis C, Shakkottai S, Tiwari M. Early and Robust Malware Detection in Enterprise Networks. 12. Maxwell Dondo, Madeena Sultana, Grant Vandenberghe. Malicious activity detection: An analysis of current tools and methodologies for network defence in operational networks. Reference Document DRDC-RDDC-2021-D078. Canada: Defence Research and Development Canada; 2021.


Open Access Article
Volume
Received April 26, 2022
Accepted April 29, 2022
Published January 30, 2023