Rui Wen,Jianyu Wang,Chunming Wu,Jian Xiong

DOI: https://doi.org/10.1145/3366424.3391266

2020-01-01

Abstract:Given a large graph with millions of vertices and different types, how can we spot anomalies and find potential adversaries in time? Most graph-based fraud detection algorithms focus on finding dense blocks, discovering local subgraphs, designing belief propagation, and latent factor models. However, as fraudsters in online social networks gradually become adversarial, distributed, and invisible, it is easy for them to evade traditional detection methods. Even worse, existing detection systems are fragile to the new attacks. Once attackers update their tragedies, they will be inefficient. Our focus is to detect potential adversaries as soon as possible. We design and propose ASA (Adversary Situation Awareness), a system that (a) uncovers potential adversaries in time, (b) utilizes heterogeneous information in the graph, and (c)is effective in real-world data. We do experiments on a heterogeneous graph including 198,541 nodes with five types and 224,384 edges. The result shows that ASA can spot potential adversaries and successfully recovers 60 of potential abnormal users within a few minutes. Additionally, after two months we deployed it, ASA could achieve 90 recall, which means ASA can well discover a small number of adversaries with a latent period in time.

Ion Băbălău,Azqa Nadeem

2024-08-19

Abstract:While intrusion detection systems form the first line-of-defense against cyberattacks, they often generate an overwhelming volume of alerts, leading to alert fatigue among security operations center (SOC) analysts. Alert-driven attack graphs (AGs) have been developed to reduce alert fatigue by automatically discovering attack paths in intrusion alerts. However, they only work in offline settings and cannot prioritize critical attack paths. This paper builds an action forecasting capability on top of the existing alert-driven AG framework for predicting the next likely attacker action given a sequence of observed actions, thus enabling analysts to prioritize non-trivial attack paths. We also modify the framework to build AGs in real time, as new alerts are triggered. This way, we convert alert-driven AGs into an early warning system that enables analysts to circumvent ongoing attacks and break the cyber killchain. We propose an expectation maximization approach to forecast future actions in a reversed suffix-based probabilistic deterministic finite automaton (rSPDFA). By utilizing three real-world intrusion and endpoint alert datasets, we empirically demonstrate that the best performing rSPDFA achieves an average top-3 accuracy of 67.27%, which reflects a 57.17% improvement over three baselines, on average. We also invite six SOC analysts to use the evolving AGs in two scenarios. Their responses suggest that the action forecasts help them prioritize critical incidents, while the evolving AGs enable them to choose countermeasures in real-time.

Cryptography and Security

Qiumei Cheng,Chunming Wu,Shiying Zhou

DOI: https://doi.org/10.1109/lcomm.2020.3048995

IF: 3.5529

2021-01-01

IEEE Communications Letters

Abstract:The alert correlation process that aggregates computer network security alerts to the same attack scenario provides a coherent view of network status at a higher abstraction level. This letter proposes a framework called Alert-GCN to correlate alerts that belong to the same attack using graph convolutional networks (GCN). The intuition is that the stacked convolutional layers help aggregate alert information from farther neighbors in the alert graph, thus facilitating attack scenario discovery. Alert-GCN first transforms alerts into alert graph with one-hot encoding and then feeds the graph into the GCN to perform node classification. The experimental results indicate that Alert-GCN outperforms traditional classification models in correlating alerts.

Sònia Leal Díaz,Sergio Pastrana,Azqa Nadeem

2023-10-20

Abstract:Although intrusion alerts can provide threat intelligence regarding attacker strategies, extracting such intelligence via existing tools is expensive and time-consuming. Earlier work has proposed SAGE, which generates attack graphs from intrusion alerts using unsupervised sequential machine learning. This paper proposes a querying and prioritization-enabled visual analytics dashboard for SAGE. The dashboard has three main components: (i) a Graph Explorer that presents a global view of all attacker strategies, (ii) a Timeline Viewer that correlates attacker actions chronologically, and (iii) a Recommender Matrix that highlights prevalent critical alerts via a MITRE ATT&CK-inspired attack stage matrix. We describe the utility of the proposed dashboard using intrusion alerts collected from a distributed multi-stage team-based attack scenario. We evaluate the utility of the dashboard through a user study. Based on the responses of a small set of security practitioners, we find that the dashboard is useful in depicting attacker strategies and attack progression, but can be improved in terms of usability.

Cryptography and Security

Shaojun Zhang,Jianhua Li,Xiuzhen Chen,Lei Fan

DOI: https://doi.org/10.1109/chinacom.2008.4685009

2008-01-01

Abstract:Most network administrators have got the unpleasant experience of being overwhelmed by tremendous unstructured network security alerts produced by heterogeneous network devices. To date, various approaches have been proposed to correlate security alerts, including the adoption of network attack graphs to clarify their causal relationship. However, there still lacks an operational method to generate attack graphs tailored for alert correlation, especially in large scale network environments. In this paper, we propose a kind of attack graph which can be built in polynomial time using an intuitive object-oriented method. Based on the graph, a criterion is given out to correlate security alerts into scenarios. As practice, a prototype system is implemented to testify the feasibility of the approaches.

Shaojun Zhang,Jianhua Li,Xiuzhen Chen,Lei Fan

DOI: https://doi.org/10.1016/j.cose.2008.05.005

IF: 5.105

2008-01-01

Computers & Security

Abstract:Most network administrators have got unpleasant experience of being overwhelmed by tremendous unstructured network security alerts produced by heterogeneous devices. To date, various approaches have been proposed to correlate security alerts, including the adoption of attack graphs to clarify their causal relationship. However, there still lacks an efficient and operational method to generate attack graphs tailored to alert causal correlation. In this paper, we propose a kind of ''one-step worst'' attack graph which can be built in polynomial time using an intuitive object-oriented method. Based on the graph, a principle is given out to correlate security alerts into scenarios. To prove its feasibility, we implemented a prototype system which can efficiently divide real-time alert streams into plausible attack scenarios.

Ahmed Aly,Shahrear Iqbal,Amr Youssef,Essam Mansour

DOI: https://doi.org/10.1109/tifs.2024.3396390

IF: 7.231

2024-05-14

IEEE Transactions on Information Forensics and Security

Abstract:The stealthy and persistent nature of Advanced Persistent Threats (APTs) makes them one of the most challenging cyber threats to uncover. Several systems adopted the development of provenance-graph-based security solutions to capture this persistent nature. Provenance graphs (PGs) represent system audit logs by connecting system entities using causal relations and information flows. Hunting APTs demands the processing of ever-growing large-scale PGs of audit logs for a wide range of activities over months or years, i.e., multi-terabyte graphs. Existing APT hunting systems are typically memory-based, which suffers colossal memory consumption, or disk-based, which suffers from performance hits. Therefore, these systems are hard to scale in terms of graph size or time performance. In this paper, we propose MEGR-APT, a scalable APT hunting system to discover suspicious subgraphs matching an attack scenario (query graph) published in Cyber Threat Intelligence (CTI) reports. MEGR-APT hunts APTs in a twofold process: (i) memory-efficient extraction of suspicious subgraphs as search queries over a graph database, and (ii) fast subgraph matching based on graph neural network (GNN) and our effective attack representation learning. We compared MEGR-APT with state-of-the-art (SOTA) APT systems using popular APT benchmarks, such as DARPA TC3 and OpTC. We also tested it using a real enterprise dataset. MEGR-APT achieves an order of magnitude reduction in memory consumption while achieving comparable performance to SOTA in terms of time and accuracy.

computer science, theory & methods,engineering, electrical & electronic

Liyan Chang,Paula Branco

DOI: https://doi.org/10.48550/arXiv.2111.13597

2021-11-27

Abstract:The high volume of increasingly sophisticated cyber threats is drawing growing attention to cybersecurity, where many challenges remain unresolved. Namely, for intrusion detection, new algorithms that are more robust, effective, and able to use more information are needed. Moreover, the intrusion detection task faces a serious challenge associated with the extreme class imbalance between normal and malicious traffics. Recently, graph-neural network (GNN) achieved state-of-the-art performance to model the network topology in cybersecurity tasks. However, only a few works exist using GNNs to tackle the intrusion detection problem. Besides, other promising avenues such as applying the attention mechanism are still under-explored. This paper presents two novel graph-based solutions for intrusion detection, the modified E-GraphSAGE, and E-ResGATalgorithms, which rely on the established GraphSAGE and graph attention network (GAT), respectively. The key idea is to integrate residual learning into the GNN leveraging the available graph information. Residual connections are added as a strategy to deal with the high-class imbalance, aiming at retaining the original information and improving the minority classes' performance. An extensive experimental evaluation of four recent intrusion detection datasets shows the excellent performance of our approaches, especially when predicting minority classes.

Cryptography and Security,Machine Learning

Liang Li,Yuanhui He,Feiyang Huang,Ziming Zhao,Zhuoxue Song,Tong Zhou,Zhenyuan Li,Fan Zhang

DOI: https://doi.org/10.1109/cscwd61410.2024.10580010

2024-01-01

Abstract:Intrusion Detection Systems (IDSs) are vital in detecting network attacks and ensuring the confidentiality and integrity of network resources. Currently, industry-standard IDSs primarily rely on rule-based or anomaly-detection techniques. However, existing detection techniques often generate false positives and negatives, also known as the alert fatigue problem. This influx of incorrect events diminishes the IDS’s efficiency by overburdening security analysts. In this paper, we present ACVS, an innovative automated alert cross-verification system that leverages Graph Neural Networks for identifying misclassifications in security events. Initially, ACVS generates event graphs using attributes like IP addresses and timestamps from sequences of security events and then employs correlation analysis on these events, utilizing alert information to verify misclassifications. Finally, the system uses Graph Neural Networks to classify and correct these security events automatically. We conduct evaluations for ACVS on a substantial real-world dataset comprising over 5 million security events, which are categorized into 5 distinct groups. The results reveal that ACVS markedly enhances the accuracy of intrusion detection systems and substantially reduces the need for manual analysis.

Jian Liu,Junjie Yan,Zhengwei Jiang,Xuren Wang,Jun Jiang

DOI: https://doi.org/10.1109/globecom48099.2022.10001525

2022-01-01

Abstract:System audit logs are widely adopted in enterprise security by their support for causality analysis that generates provenance graphs to investigate advanced attacks. However, detecting attack activity in the overwhelming amount of logs is like looking for a needle in a haystack, which slows down the speed of attack investigation. In this paper, we propose an automated approach for attack detection and investigation by learning the contextual semantics of the provenance graph. Our framework uncovers the semantics of the attack events through the structural context of audit logs. Further, an attention-based graph convolutional neural network is utilized to capture the structural identity associated with the attack path. It is important to note that when inferring whether a specific system node is malicious or not, our approach optimizes the provenance subgraph generated for that node without destroying its contextual semantics. The discovered attack nodes are correlated chronologically for attack investigation and scenario reconstruction. Our approach is evaluated on a real-world Advanced Persistent Threats (APT) dataset. The results show that our approach has a high F1 score (95.97%) for identifying attack nodes in audit logs and speeds up the process of attack investigation (reducing the analysis workload by 91.24%).

Jie Ying,Tiantian Zhu,Wenrui Cheng,Qixuan Yuan,Mingjun Ma,Chunlin Xiong,Tieming Chen,Mingqi Lv,Yan Chen

2024-05-04

Abstract:As the complexity and destructiveness of Advanced Persistent Threat (APT) increase, there is a growing tendency to identify a series of actions undertaken to achieve the attacker's target, called attack investigation. Currently, analysts construct the provenance graph to perform causality analysis on Point-Of-Interest (POI) event for capturing critical events (related to the attack). However, due to the vast size of the provenance graph and the rarity of critical events, existing attack investigation methods suffer from problems of high false positives, high overhead, and high latency. To this end, we propose SPARSE, an efficient and real-time system for constructing critical component graphs (i.e., consisting of critical events) from streaming logs. Our key observation is 1) Critical events exist in a suspicious semantic graph (SSG) composed of interaction flows between suspicious entities, and 2) Information flows that accomplish attacker's goal exist in the form of paths. Therefore, SPARSE uses a two-stage framework to implement attack investigation (i.e., constructing the SSG and performing path-level contextual analysis). First, SPARSE operates in a state-based mode where events are consumed as streams, allowing easy access to the SSG related to the POI event through semantic transfer rule and storage strategy. Then, SPARSE identifies all suspicious flow paths (SFPs) related to the POI event from the SSG, quantifies the influence of each path to filter irrelevant events. Our evaluation on a real large-scale attack dataset shows that SPARSE can generate a critical component graph (~ 113 edges) in 1.6 seconds, which is 2014 X smaller than the backtracking graph (~ 227,589 edges). SPARSE is 25 X more effective than other state-of-the-art techniques in filtering irrelevant edges.

Cryptography and Security

Wenrui Cheng,Tiantian Zhu,Tieming Chen,Qixuan Yuan,Jie Ying,Hongmei Li,Chunlin Xiong,Mingda Li,Mingqi Lv,Yan Chen

2024-10-15

Abstract:Cyber Threat Intelligence (CTI) reports are factual records compiled by security analysts through their observations of threat events or their own practical experience with attacks. In order to utilize CTI reports for attack detection, existing methods have attempted to map the content of reports onto system-level attack provenance graphs to clearly depict attack procedures. However, existing studies on constructing graphs from CTI reports suffer from problems such as weak natural language processing (NLP) capabilities, discrete and fragmented graphs, and insufficient attack semantic representation. Therefore, we propose a system called CRUcialG for the automated reconstruction of attack scenario graphs (ASGs) by CTI reports. First, we use NLP models to extract systematic attack knowledge from CTI reports to form preliminary ASGs. Then, we propose a four-phase attack rationality verification framework from the tactical phase with attack procedure to evaluate the reasonability of ASGs. Finally, we implement the relation repair and phase supplement of ASGs by adopting a serialized graph generation model. We collect a total of 10,607 CTI reports and generate 5,761 complete ASGs. Experimental results on CTI reports from 30 security vendors and DARPA show that the similarity of ASG reconstruction by CRUcialG can reach 84.54%. Compared with SOTA (EXTRACTOR and AttackG), the recall of CRUcialG (extraction of real attack events) can reach 88.13% and 94.46% respectively, which is 40% higher than SOTA on average. The F1-score of attack phase verification is able to reach 90.04%.

Cryptography and Security

Dennis Mouwen,Sicco Verwer,Azqa Nadeem

DOI: https://doi.org/10.48550/arXiv.2206.07776

2022-06-16

Abstract:We present a method to learn automaton models that are more robust to input modifications. It iteratively aligns sequences to a learned model, modifies the sequences to their aligned versions, and re-learns the model. Automaton learning algorithms are typically very good at modeling the frequent behavior of a software system. Our solution can be used to also learn the behavior present in infrequent sequences, as these will be aligned to the frequent ones represented by the model. We apply our method to the SAGE tool for modeling attacker behavior from intrusion alerts. In experiments, we demonstrate that our algorithm learns models that can handle noise such as added and removed symbols from sequences. Furthermore, it learns more concise models that fit better to the training data.

Machine Learning,Cryptography and Security

LILongying,LI Jinku,MAJianfeng,JIANGQi

DOI: https://doi.org/10.3969/j.issn.1001-2400.2014.05.015

2014-01-01

Abstract:The causal relation based alert correlation approach causes split scenario graphs and cannot process massive alerts in time.To address this issue,a comprehensive analysis approach of real-time alerts with attack strategy graphs is proposed.First,it gets rid of the splitting of the attack scenario graph by introducing hypothesizing alerts to the alert correlation process.Second,it leverages a novel sliding window mechanism,which maintains a window for each type of attacks and determines the window’s size according to both the time and number of the alerts.This new mechanism only introduces linear time complexity without sacrificing effectiveness.Third,the approach is extended to a comprehensive system to reconstruct attack scenarios,predict future alerts and fuse analytical results.Evaluation results indicate that our approach is effective and efficient.

Zhi-tang Li,Jie Lei,Li Wang,Dong Li

DOI: https://doi.org/10.1109/fskd.2007.15

2007-01-01

Abstract:A network attack graph provides a global view of all possible sequences of exploits which an intruder may use to penetrate a system. Attack graphs can be generated by model checking techniques or intrusion alert correlation. In this paper we proposed a data mining approach to generating attack graphs. Through association rule mining, the algorithm generates multi-step attack patterns from historical intrusion alerts which comprise the attack graphs. The algorithm also calculates the predictability of each attack scenario in the attack graph which represents the probability for the corresponding attack scenario to be the precursor of future attacks. Then the real-time intrusion alerts can be correlated to attack scenarios and ranked by the predictability scores. The ranking result can help identify the appropriate evidence for intrusion prediction from a large volume of raw intrusion alerts. The approach is validated by DARPA 2000 and DARPA 1999 intrusion detection evaluation datasets.

Michael Biehler,Zhen Zhong,Jianjun Shi

DOI: https://doi.org/10.48550/arXiv.2106.09905

2021-11-29

Abstract:Cyber-physical systems (CPS) have been increasingly attacked by hackers. Recent studies have shown that CPS are especially vulnerable to insider attacks, in which case the attacker has full knowledge of the systems configuration. To better prevent such types of attacks, we need to understand how insider attacks are generated. Typically, there are three critical aspects for a successful insider attack: (i) Maximize damage, (ii) Avoid detection and (iii) Minimize the attack cost. In this paper we propose a Stealthy Attack GEneration (SAGE) framework by formulizing a novel optimization problem considering these three objectives and the physical constraints of the CPS. By adding small worst-case perturbations to the system, the SAGE attack can generate significant damage, while remaining undetected by the systems monitoring algorithms. The proposed methodology is evaluated on several anomaly detection algorithms. The results show that SAGE attacks can cause severe damage while staying undetected and keeping the cost of an attack low. Our method can be accessed in the supplementary material of this paper to aid researcher and practitioners in the design and development of resilient CPS and detection algorithms.

Applications

Yi-Ting Huang,Ying-Ren Guo,Yu-Sheng Yang,Guo-Wei Wong,Yu-Zih Jheng,Yeali Sun,Jessemyn Modini,Timothy Lynar,Meng Chang Chen

2024-11-20

Abstract:With the increasing sophistication of Advanced Persistent Threats (APTs), the demand for effective detection and mitigation strategies and methods has escalated. Program execution leaves traces in the system audit log, which can be analyzed to detect malicious activities. However, collecting and analyzing large volumes of audit logs over extended periods is challenging, further compounded by insufficient labeling that hinders their usability. Addressing these challenges, this paper introduces SAGA (Synthetic Audit log Generation for APT campaigns), a novel approach for generating find-grained labeled synthetic audit logs that mimic real-world system logs while embedding stealthy APT attacks. SAGA generates configurable audit logs for arbitrary duration, blending benign logs from normal operations with malicious logs based on the definitions the MITRE ATT\&CK framework. Malicious audit logs follow an APT lifecycle, incorporating various attack techniques at each stage. These synthetic logs can serve as benchmark datasets for training machine learning models and assessing diverse APT detection methods. To demonstrate the usefulness of synthetic audit logs, we ran established baselines of event-based technique hunting and APT campaign detection using various synthetic audit logs. In addition, we show that a deep learning model trained on synthetic audit logs can detect previously unseen techniques within audit logs.

Cryptography and Security

Siying He,Mi Wen,Xiumin Li,Zhou Su

DOI: https://doi.org/10.1109/ICCC57788.2023.10233417

2023-01-01

Abstract:With the complexity and variability of cyber attacks increasing, current approaches for constructing attack scenarios often overlook the continuity of attack behaviors. These approaches lead to challenges in dynamically reconstructing the complete attack path. Additionally, many false alerts significantly reduce the accuracy of restoring an attack scenario. Against these issues, this paper proposes an approach for attack scenario construction based on a dynamic attack path graph. First, this paper proposes an alert truth rate calculating approach which utilizes mutual information. And the paper constructs the attack path graph by considering multiple dimensions, including calculated alert features and alert truth rate. In addition, an attack chain generation algorithm is proposed to restore the dynamic and complete attack scenario. Secondly, in order to cope with the changing network, the paper introduces a dynamic probabilistic update algorithm that periodically adjusts the attack path as time progresses. Finally, Experimental results show that the proposed approach can recover all attack processes in the dataset, with an algorithmic complexity of O (M × N).

Mathieu Garchery,Michael Granitzer

DOI: https://doi.org/10.48550/arXiv.2007.06985

IF: 5.414

2020-07-14

Machine Learning

Abstract:Previous works on the CERT insider threat detection case have neglected graph and text features despite their relevance to describe user behavior. Additionally, existing systems heavily rely on feature engineering and audit data aggregation to detect malicious activities. This is time consuming, requires expert knowledge and prevents tracing back alerts to precise user actions. To address these issues we introduce ADSAGE to detect anomalies in audit log events modeled as graph edges. Our general method is the first to perform anomaly detection at edge level while supporting both edge sequences and attributes, which can be numeric, categorical or even text. We describe how ADSAGE can be used for fine-grained, event level insider threat detection in different audit logs from the CERT use case. Remarking that there is no standard benchmark for the CERT problem, we use a previously proposed evaluation setting based on realistic recall-based metrics. We evaluate ADSAGE on authentication, email traffic and web browsing logs from the CERT insider threat datasets, as well as on real-world authentication events. ADSAGE is effective to detect anomalies in authentications, modeled as user to computer interactions, and in email communications. Simple baselines give surprisingly strong results as well. We also report performance split by malicious scenarios present in the CERT datasets: interestingly, several detectors are complementary and could be combined to improve detection. Overall, our results show that graph features are informative to characterize malicious insider activities, and that detection at fine-grained level is possible.

Mai Ye,Shiming Men,Lei Xie,Bing Chen

DOI: https://doi.org/10.1145/3605801.3605807

2023-01-01

Abstract:APT(Advanced Persistent Threat) are known for their stealth, persistence, and sophistication, often carried out by skilled and well-funded attackers. To detect and investigate APT attacks at the host-level, scholars have extensively studied the provenance graph, which preserves the complete attack context. However, existing methods have impractical requirements for data collection and threshold setting, severely impacting their real-world performance. In this paper, we propose GCA (Graph Competitive Autoencoder), a GNN-based graph-level anomaly detection system. We first extract entities and their interactions from host logs to construct a provenance graph. Subsequently, we utilize GNN (Graph Neural Network) as a graph encoder to obtain graph-level embeddings. In the anomaly detection part, we use the competitive autoencoder and mutual information maximization to identify the attack graph. With this model, we can conduct graph-level anomaly detection even when the training data is partially contaminated, without manually setting the threshold. We deploy and evaluate our model on the public dataset StreamSpot. Our results show that GCA outperforms existing methods in terms of accuracy and practicality.