Accurate and Scalable Detection and Investigation of Cyber Persistence Threats

Qi Liu,Muhammad Shoaib,Mati Ur Rehman,Kaibin Bao,Veit Hagenmeyer,Wajih Ul Hassan
2024-07-26
Abstract:In Advanced Persistent Threat (APT) attacks, achieving stealthy persistence within target systems is often crucial for an attacker's success. This persistence allows adversaries to maintain prolonged access, often evading detection mechanisms. Recognizing its pivotal role in the APT lifecycle, this paper introduces Cyber Persistence Detector (CPD), a novel system dedicated to detecting cyber persistence through provenance analytics. CPD is founded on the insight that persistent operations typically manifest in two phases: the "persistence setup" and the subsequent "persistence execution". By causally relating these phases, we enhance our ability to detect persistent threats. First, CPD discerns setups signaling an impending persistent threat and then traces processes linked to remote connections to identify persistence execution activities. A key feature of our system is the introduction of pseudo-dependency edges (pseudo-edges), which effectively connect these disjoint phases using data provenance analysis, and expert-guided edges, which enable faster tracing and reduced log size. These edges empower us to detect persistence threats accurately and efficiently. Moreover, we propose a novel alert triage algorithm that further reduces false positives associated with persistence threats. Evaluations conducted on well-known datasets demonstrate that our system reduces the average false positive rate by 93% compared to state-of-the-art methods.
Cryptography and Security
What problem does this paper attempt to address?
The problem that this paper attempts to solve is: how to accurately and efficiently detect and investigate persistent threats in Advanced Persistent Threat (APT). Specifically, in view of the problems existing in the existing intrusion detection systems when detecting persistent threats, such as high false - positive rates, inability to effectively correlate scattered attack phases, and dependence on training data, the paper proposes a new system - Cyber Persistence Detector (CPD) to improve the accuracy and efficiency of detection. ### Problem Background 1. **Characteristics of APT Attacks**: - APT attackers use complex multi - stage strategies, especially establishing persistent access in the target system, to ensure that they are not detected for a long time. - Persistence techniques are the key to the success of APT attacks, usually involving the installation of malware or the manipulation of legitimate scripts and tasks to maintain the connection after system reboot. 2. **Limitations of Existing Systems**: - **Rule - based Detection Systems**: Such as Elastic and Google Chronicle, are prone to generate a large number of false positives (False Positives, FPs) because they analyze persistence techniques in isolation and ignore the overall context of the attack. - **Anomaly - or Learning - based PIDS**: Require representative training data and are relatively vulnerable in dealing with concept drift and evasion attacks. - **Heuristic PIDS**: It is difficult to understand the semantics of persistent attacks, resulting in incomplete and incoherent reconstruction of attack graphs. ### Main Contributions of the Paper 1. **Introduction of Pseudo - dependency Edges**: - Connect the two phases of "persistence setting" and "persistence execution", and correlate these scattered phases through data provenance analysis, so as to more accurately detect persistent threats. 2. **Expert - guided Edges**: - Utilize the insights of process creation and system policies to optimize the construction of the provenance graph, reduce the amount of logs and improve the detection efficiency. 3. **Alert Classification Algorithm**: - Propose a new alert classification algorithm, combine the techniques and tactics in the MITRE ATT&CK framework, reduce false positives, and improve the accuracy and reliability of detection. 4. **System Evaluation**: - Evaluation is carried out on multiple public data sets and strictly implemented MITRE simulation plans. The results show that CPD can reduce the average false - positive rate by 93% and generate concise and explanatory attack graphs. ### Summary The paper solves the problems of high false - positive rates, lack of context correlation, and dependence on training data in the existing persistent threat detection systems by introducing the CPD system. CPD improves the accuracy and efficiency of detection through innovative methods such as pseudo - dependency edges and expert - guided edges, providing security analysts with a more valuable threat detection tool.