	US 12,292,969 B2
	Provenance inference for advanced CMS-targeting attacks
Ranjita Pai Kasturi, Atlanta, GA (US); and Brendan D. Saltaformaggio, Atlanta, GA (US)
Assigned to Georgia Tech Research Corporation, Atlanta, GA (US)
Appl. No. 17/801,686
Filed by Georgia Tech Research Corporation, Atlanta, GA (US)
PCT Filed Mar. 4, 2021, PCT No. PCT/US2021/020894 § 371(c)(1), (2) Date Aug. 23, 2022, PCT Pub. No. WO2021/178678, PCT Pub. Date Sep. 10, 2021.
Claims priority of provisional application 62/985,067, filed on Mar. 4, 2020.
Prior Publication US 2023/0133791 A1, May 4, 2023
Int. Cl. G06F 21/55 (2013.01)

CPC G06F 21/554 (2013.01) [G06F 2221/033 (2013.01)]

16 Claims

1. A method for remediating a content management systems website that has been subjected to a targeting attack and for which a temporal sequence of a plurality of snapshots of website backups have been stored, comprising the steps of:

(a) detecting the targeting attack by:

(i) constructing a temporally ordered set of spatial elements from each of the plurality of snapshots;

(ii) computing spatial metrics for elements of each individual snapshot of the plurality of snapshots;

(iii) temporally correlating the computed spatial metrics and querying them against attack models to recover an attack timeline and labelling attack events in the attack timeline with assigned attack labels;

(iv) verifying a sequence of the assigned attack labels;

(v) extracting an attack compromise window from the plurality of snapshots, the attack compromise window indicating a period between a first temporal snapshot that includes suspicious activities and a last temporal snapshot that includes suspicious activities; and

(b) remediating the content management systems website by rolling back the content management systems website to one of the plurality of snapshots corresponding to a pre-compromise window snapshot, wherein the step of computing spatial metrics for each individual snapshot's elements comprises the steps of:

extracting a structural metric from each snapshot's elements; and

extracting a code metric from each snapshot's elements,

wherein the step of extracting the attack compromise window from the plurality of snapshots comprises designating a subset of the plurality of snapshots as the attack compromise window when the structural metric and the code metric have an attack label of high severity according to a predetermined attack modeling rule, and

wherein the step of extracting structural metrics comprises the steps of:

detecting hidden files and hidden directories in each snapshot and, when detected then adding a hidden file element to the structural metric for the snapshot;

detecting extension mismatches between file type and file extension in each snapshot and, when detected then adding an extension mismatch file element to the structural metric for the snapshot;

detecting file name high entropy in each snapshot and, when detected then adding a file name high entropy element to the structural metric for the snapshot;

and detecting permission changes between snapshots and, when detected then adding a permission name element to the structural metric for the snapshot,

wherein the step of detecting the file name high entropy comprises the steps of:

(a) computing a randomness score for each file name in the snapshot;

(b) calculating a median absolute deviation of all randomness scores for the snapshot;

(d) when the median absolute deviation is greater than the relative threshold for the plurality of snapshots, then designating the snapshot as having high name entropy.