Yogesh Chandrakant Jadhav
Vaibhav Kisan Kadam
Shubham Ramesh Kanase
- Student, Department of Computer Science and Engineering, Pillai HOC college of Engineering and Technology, Rasayani, Maharashtra, India
- Assistant Professor, Department of Computer Science and Engineering, Pillai HOC College of Engineering and Technology, Rasayani, Maharashtra, India
We have made an EDR tool for Linux Systems using Facebook open-source project OSquery. Making our own EDR tool rather than using a commercial EDR tool helps us gain knowledge about the platform and the security aspect of the platform and gives us the capabilities to detect and investigate security events. In our method, we are collecting the logs on the central server and then we are using these logs to generate the correlation between events which are happening on different Linux endpoints. These events are different events which are taking place in the Linux system like file events, socket events, process events, etc. These events are automatically detected and categorized into different attack vectors to remediate in future. Due to continuous monitoring, we get these events after a specific interval which makes the detection real-time. Users can provide on-the-fly configuration which makes the tool more responsive and accurate and does not collect the garbage data which are not required. We are also providing container security which is a new feature in the open-source tools. In our method, we have designed a system in such a way that we can scale the system and add a scalable amount of nodes in a single deployment.
Keywords: Endpoint detection and response, OSquery, Fleet server, Linux, malware
[This article belongs to Journal of Advances in Shell Programming(joasp)]
1. Facebook. (2019). SQL powered operating system instrumentation, monitoring, and analytics. [Online]. Available from: https://github.com/osquery/osquery
2. Rapid7 Blog. (2019 Jul). Introduction to osquery for threat detection and DFIR. [Online]. Available from: https://www.rapid7.com/blog/post/2016/05/09/introduction-to-osquery-for-threatdetection-dfir/
3. MITRE. (2021) ATT&CK. [Online]. Available from: https://attack.mitre.org/
4. YARA. (2021). [Online]. Available from: https://yara.readthedocs.io/en/stable/
5. Oracle. (2019). Oracle Security Alert Advisory-CVE-2019-272. [Online]. Available from: https://www.oracle.com/security-alerts/alert-cve-2019-2725.html.
6. Reed T, Grenier M. (2017 Nov 2). Osquery—Windows, MacOS, Linux Monitoring and Intrusion Detection. [Online]. 7. Kieseberg P, Neuner S, Schrittwieser S, Schmiedecker M, Weippl E. Real-Time Forensics through Endpoint Visibility. In: Matoušek P, Schmiedecker M, editors. Digital Forensics and Cyber Crime. ICDF2C 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering. Cham: Springer; 2018; 216. https://doi. org/10.1007/978-3-319-73697-6_2
8. Hurless C. (2019 Sep 10). Exploring Osquery Fleet and Elastic Stack as an Open-source solution to Endpoint Detection and Response. [Online]. SANS Institute Reading Room site.
9. Yin H, Song D, Egele M, Kruegel C, Kirda E. October. Panorama: capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM conference on Computer and communications security. 2007; 116–127.
10. Gržinić T, González EB. Methods for automatic malware analysis and classification: a survey. Int J Inf Comput Secur. 2022; 17(1–2): 179–203.
11. Kazdagli M, Caramanis C, Shakkottai S, Tiwari M. Early and Robust Malware Detection in Enterprise Networks. 12. Maxwell Dondo, Madeena Sultana, Grant Vandenberghe. Malicious activity detection: An analysis of current tools and methodologies for network defence in operational networks. Reference Document DRDC-RDDC-2021-D078. Canada: Defence Research and Development Canada; 2021.
|Received||April 26, 2022|
|Accepted||April 29, 2022|
|Published||May 4, 2022|