Multi-agent Architecture for Passive Rootkit Detection with Data Enrichment

The added value of the information transmitted in a cybernetic environment has resulted in a sophisticated malicious actions scenario aimed at data exfiltration. In situations with advanced actors, like APTs, such actions use obfuscation techniques of harmful activities as persistence assurance on strategic targets. The MADEX and NERD architectures proposed flow analysis solutions to detect rootkits that hide network traffic; however, it presents some operational cost, either in traffic volume or due to lack of aggregated information. In that regard, this work changes and improves user flow analysis techniques to eliminate impacts on network traffic, with data enrichment on local and remote bases, detection of domains consulted by rootkits and aggregation of information to generate threat intelligence, while maintaining high performance. The results show the possibility of aggregating information to data flows used by rootkits in order to have effective cyber defense actions against cybernetic threats without major impacts on the existing network infrastructure.