Detecting attackers using anomalous patterns in machine learning

As antivirus and machine learning-based malware detection have increased their effectiveness in detecting file-based attacks, adversaries have migrated to "living off the land" techniques to bypass modern security software. This involves executing system tools preinstalled with the operating system or commonly brought in by administrators to perform tasks like automating IT administrative tasks, running scripts on a regular basis, executing code on remote systems, and much more. These binaries are inherently benign and commonly used in most environments, so attackers can trivially bypass most first-line defenses simply by blending in with the noise of what's executing on a recurring basis. Detecting patterns like this post-compromise requires sifting through millions of events with no clear starting point. In response, security researchers have begun authoring detectors to target suspicious parent-child process chains.