Cheng Tan,Qian Wang,Lina Wang,Lei Zhao

DOI: https://doi.org/10.1109/mnet.2018.1700469

IF: 10.294

2018-01-01

IEEE Network

Abstract:With the increasing damage of APT attacks, the modern world has moved from individual hackers for fun to nation-wide cybercriminals for strategic advantage or profit. These APT attacks are often prolonged and have multiple stages, and they usually utilize zero-day or one-day exploits to be penetrating and stealthy. As a result, there is an urgent need to detect and investigate APT attacks. Among all kinds of security techniques, provenance tracing is regarded as a promising and important approach for attack investigation, as it discloses the root cause, the path, and the results of attacks. However, the existing techniques either suffer from the limitation of only focusing on the log type, or have non-trivial space and runtime overhead, which hinder their wide applications in practice. In this article, we provide a comprehensive survey of provenance tracing technologies in the most recent literature. Following the overview of each scheme, we present the key technical features of them and then compare the state-of-the-art solutions in terms of both security and performance. Finally, we propose and discuss several potential future research directions.

Han Liu,Yuntao Wang,Zhou Su,Zixuan Wang,Yanghe Pan,Ruidong Li

DOI: https://doi.org/10.1109/icc51166.2024.10623080

2024-01-01

Abstract:Provenance graph-based auditing offers a promising direction for APT (Advanced Persistent Threat) detection with traceability guarantees. However, most of the existing methods are based on host-level causality analysis, which is ineffective in practical APT scenarios when well-organized adversaries exploit lateral movement attacks (e.g., multi-level proxies) across multiple compromised hosts. To bridge the research gap, this paper proposes a collaborative APT detection and tracing frame-work (TRACEGADGET) based on federal provenance graphs. TRACEGADGET can efficiently reveal the whole trace of APT lateral movements through the interactions between hosts in Intranet. Specifically, the proposed framework 1) characterizes the relevance weights of all events in the given provenance graph in comparison to the POI (Point of Interest) events, 2) identifies the network entries rankings of the POI events through backward trace analysis, 3) reveals the evolution of the alarm events and confirms the network exit of penetration chain through forward propagation, and 4) aligns the network entries and network exits to derive the complete path of the lateral movement attack. Finally, we construct a dataset consisting of 280,000 edges and more than 90,000 entities through ten sets of real APT attacks. We demonstrate the feasibility and effectiveness of the proposed framework in recovering APT attack links at the network level. Particularly, TRACEGADGET achieves 100% APT path reconstruction with high robustness in all the experiments.

Teng Li,Ximeng Liu,Wei Qiao,Xiongjie Zhu,Yulong Shen,Jianfeng Ma

DOI: https://doi.org/10.1109/tdsc.2023.3273918

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Advanced Persistent Threats (APTs) employ sophisticated and covert tactics to infiltrate target systems, leading to increased vulnerability and an elevated risk of exposure. Consequently, it is essential for us to proactively create an extensive and clearly outlined attack chain for APTs in order to effectively combat these threats. Unlike traditional malware or application threats, APTs can sidestep cyber security efforts and cause severe damage to organizations or even state security. Nonetheless, earlier methods struggle to accurately track APTs and may face a dependency explosion issue, as identifying the intricate and complex unknown malicious activities within APTs proves to be challenging. In this paper, we propose and build an approach, T-trace, which constructs the events provenance graphs by analyzing the correlations among logs. The approach precisely finds the log communities with tensor decomposition and calculates significance scores to extract the events. The APTs can be inferred by discovering the event communities and constructing the provenance graph with log correlation. In the experiment, we used DARPA data sets and launched four current practical APTs. Compared with current approaches, the results show that T-trace can efficiently reduce time cost by 90% and achieve a 92% accuracy rate in constructing the provenance graph, which can be practically applied in APTs provenance.

Yuntao Wang,Han Liu,Zhendong Li,Zhou Su,Jiliang Li

DOI: https://doi.org/10.1109/MNET.2024.3389734

2024-04-12

Abstract:The rise of advanced persistent threats (APTs) has marked a significant cybersecurity challenge, characterized by sophisticated orchestration, stealthy execution, extended persistence, and targeting valuable assets across diverse sectors. Provenance graph-based kernel-level auditing has emerged as a promising approach to enhance visibility and traceability within intricate network environments. However, it still faces challenges including reconstructing complex lateral attack chains, detecting dynamic evasion behaviors, and defending smart adversarial subgraphs. To bridge the research gap, this paper proposes an efficient and robust APT defense scheme leveraging provenance graphs, including a network-level distributed audit model for cost-effective lateral attack reconstruction, a trust-oriented APT evasion behavior detection strategy, and a hidden Markov model based adversarial subgraph defense approach. Through prototype implementation and extensive experiments, we validate the effectiveness of our system. Lastly, crucial open research directions are outlined in this emerging field.

Cryptography and Security

Jiawei Li,Ru Zhang,Jianyi Liu

DOI: https://doi.org/10.3390/electronics13010100

IF: 2.9

2023-01-01

Electronics

Abstract:Attack investigation is a crucial technique in proactively defending against sophisticated attacks. Its purpose is to identify attack entry points and previously unknown attack traces through comprehensive analysis of audit data. However, a major challenge arises from the vast and redundant nature of audit logs, making attack investigation difficult and prohibitively expensive. To address this challenge, various technologies have been proposed to reduce audit data, facilitating efficient analysis. However, most of these techniques rely on defined templates without considering the rich context information of events. Moreover, these methods fail to remove false dependencies caused by the coarse-grained nature of logs. To address these limitations, this paper proposes a context-aware provenance graph reduction and partition approach for facilitating attack investigation named ProvGRP. Specifically, three features are proposed to determine whether system events are the same behavior from multiple dimensions. Based on the insight that information paths belonging to the same high-level behavior share similar information flow patterns, ProvGRP generates information paths containing context, and identifies and merges paths that share similar flow patterns. Experimental results show that ProvGRP can efficiently reduce provenance graphs with minimal loss of crucial information, thereby facilitating attack investigation in terms of runtime and results.

Weina Niu,Zhenqi Yu,Zimu Li,Beibei Li,Runzi Zhang,Xiaosong Zhang

DOI: https://doi.org/10.1109/globecom48099.2022.10000804

2022-01-01

Abstract:Information systems have penetrated into all areas of social life, however, unknown threats represented by APT attacks pose serious challenges to their security. In recent years, approaches based on log analysis and provenance graph have been extensively used in the anomaly detection and tracing of malicious attacks. However, traditional method has low detection accuracy, high complexity and low efficiency. To address those shortcomings, we propose an efficient anomaly tracing approach (LogTracer), which combines system log detection and provenance graph together. The proposed LogTracer extracts the attack path from provenance graph, which is constructed with the anomaly degrees of the system logs anomaly detection results. Compar-ative experiments with OmegaLog, NoDoze and ALchemist are conducted on a simulated dataset with 16 attack types totaling 290 million logs. The experimental results show that our method approximately 5.4x, 0.2x and 7.2x faster than these three methods in processing efficiency, and its malicious node coverage rate reaches 98.1%.

Erteng Hu,Anmin Fu,Zhiyi Zhang,Linjie Zhang,Yantao Guo,Yin Liu

DOI: https://doi.org/10.1109/infocomwkshps51825.2021.9484532

2021-01-01

Abstract:The emerging advanced persistent threats (APT) have become a significant threat to enterprise network security. Carrying out the attack's causality analysis can help the cyber analyst understand the APT attack process and safely recover the system from the attack. How to quickly perform an efficient causality analysis and generate an attack dependency graph that is easy for analysts to understand has become a problem. In this paper, we propose ACTracker, a fast and efficient attack causality tracker. Firstly, the tracker generates a complete provenance graph based on threat alert and then calculates each provenance path's anomaly score based on the anomaly score of each event. ACTracker quickly constructs a dependency graph describing the causality of attacks by considering the anomaly degree of each provenance path in the provenance graph. We also design a novel statistical method of event frequency to adapt to different scales of corporate network environments and assign anomaly scores to each event based on the event's rarity in the current environment. We evaluate our system by simulating a variety of real-world attacks. The experimental results show that our solution can effectively track attack activities in a short time.

Su Wang,Zhiliang Wang,Tao Zhou,Xia Yin,Dongqi Han,Han Zhang,Hongbin Sun,Xingang Shi,Jiahai Yang

DOI: https://doi.org/10.48550/arXiv.2111.04333

2021-11-08

Abstract:Host-based threats such as Program Attack, Malware Implantation, and Advanced Persistent Threats (APT), are commonly adopted by modern attackers. Recent studies propose leveraging the rich contextual information in data provenance to detect threats in a host. Data provenance is a directed acyclic graph constructed from system audit data. Nodes in a provenance graph represent system entities (e.g., $processes$ and $files$) and edges represent system calls in the direction of information flow. However, previous studies, which extract features of the whole provenance graph, are not sensitive to the small number of threat-related entities and thus result in low performance when hunting stealthy threats. We present threaTrace, an anomaly-based detector that detects host-based threats at system entity level without prior knowledge of attack patterns. We tailor GraphSAGE, an inductive graph neural network, to learn every benign entity's role in a provenance graph. threaTrace is a real-time system, which is scalable of monitoring a long-term running host and capable of detecting host-based intrusion in their early phase. We evaluate threaTrace on three public datasets. The results show that threaTrace outperforms three state-of-the-art host intrusion detection systems.

Cryptography and Security,Machine Learning

Sadegh M. Milajerdi,Birhanu Eshete,Rigel Gjomemo,V.N. Venkatakrishnan

DOI: https://doi.org/10.48550/arXiv.1810.05711

2018-10-13

Abstract:Kernel audit logs are an invaluable source of information in the forensic investigation of a cyber-attack. However, the coarse granularity of dependency information in audit logs leads to the construction of huge attack graphs which contain false or inaccurate dependencies. To overcome this problem, we propose a system, called ProPatrol, which leverages the open compartmentalized design in families of enterprise applications used in security-sensitive contexts (e.g., browser, chat client, email client). To achieve its goal, ProPatrol infers a model for an application's high-level tasks as input-processing compartments using purely the audit log events generated by that application. The main benefit of this approach is that it does not rely on source code or binary instrumentation, but only on a preliminary and general knowledge of an application's architecture to bootstrap the analysis. Our experiments with enterprise-level attacks demonstrate that ProPatrol significantly cuts down the forensic investigation effort and quickly pinpoints the root- cause of attacks. ProPatrol incurs less than 2% runtime overhead on a commodity operating system.

Cryptography and Security

Nan Wang,Xuezhi Wen,Dalin Zhang,Xibin Zhao,Jiahui Ma,Mengxia Luo,Sen Nie,Shi Wu,Jiqiang Liu

2023-04-06

Abstract:APT detection is difficult to detect due to the long-term latency, covert and slow multistage attack patterns of Advanced Persistent Threat (APT). To tackle these issues, we propose TBDetector, a transformer-based advanced persistent threat detection method for APT attack detection. Considering that provenance graphs provide rich historical information and have the powerful attacks historic correlation ability to identify anomalous activities, TBDetector employs provenance analysis for APT detection, which summarizes long-running system execution with space efficiency and utilizes transformer with self-attention based encoder-decoder to extract long-term contextual features of system states to detect slow-acting attacks. Furthermore, we further introduce anomaly scores to investigate the anomaly of different system states, where each state is calculated with an anomaly score corresponding to its similarity score and isolation score. To evaluate the effectiveness of the proposed method, we have conducted experiments on five public datasets, i.e., streamspot, cadets, shellshock, clearscope, and wget_baseline. Experimental results and comparisons with state-of-the-art methods have exhibited better performance of our proposed method.

Cryptography and Security,Artificial Intelligence,Machine Learning

Bibek Bhattarai,H. Howie Huang

2023-10-02

Abstract:Modern cyber attackers use advanced zero-day exploits, highly targeted spear phishing, and other social engineering techniques to gain access and also use evasion techniques to maintain a prolonged presence within the victim network while working gradually towards the objective. To minimize the damage, it is necessary to detect these Advanced Persistent Threats as early in the campaign as possible. This paper proposes, Prov2Vec, a system for the continuous monitoring of enterprise host's behavior to detect attackers' activities. It leverages the data provenance graph built using system event logs to get complete visibility into the execution state of an enterprise host and the causal relationship between system entities. It proposes a novel provenance graph kernel to obtain the canonical representation of the system behavior, which is compared against its historical behaviors and that of other hosts to detect the deviation from the normality. These representations are used in several machine learning models to evaluate their ability to capture the underlying behavior of an endpoint host. We have empirically demonstrated that the provenance graph kernel produces a much more compact representation compared to existing methods while improving prediction ability.

Cryptography and Security,Information Theory

Xiaoxiao Liu,Fan Xu,Nan Wang,Qinxin Zhao,Dalin Zhang,Xibin Zhao,Jiqiang Liu

2024-04-04

Abstract:Advanced Persistent Threat (APT) is challenging to detect due to prolonged duration, infrequent occurrence, and adept concealment techniques. Existing approaches primarily concentrate on the observable traits of attack behaviors, neglecting the intricate relationships formed throughout the persistent attack lifecycle. Thus, we present an innovative APT detection framework named LTRDetector, implementing an end-to-end holistic operation. LTRDetector employs an innovative graph embedding technique to retain comprehensive contextual information, then derives long-term features from these embedded provenance graphs. During the process, we compress the data of the system provenance graph for effective feature learning. Furthermore, in order to detect attacks conducted by using zero-day exploits, we captured the system's regular behavior and detects abnormal activities without relying on predefined attack signatures. We also conducted extensive evaluations using five prominent datasets, the efficacy evaluation of which underscores the superiority of LTRDetector compared to existing state-of-the-art techniques.

Cryptography and Security

Feng Dong,Liu Wang,Xu Nie,Fei Shao,Haoyu Wang,Ding Li,Xiapu Luo,Xusheng Xiao

2023-01-01

Abstract:Building provenance graph that considers causal relationships among software behaviors can better provide contextual information of cyber attacks, especially for advanced attacks such as Advanced Persistent Threat (APT) attacks. Despite its promises in assisting attack investigation, existing approaches that use provenance graphs to perform attack detection suffer from two fundamental limitations. First, existing approaches adopt a centralized detection architecture that sends all system auditing logs to the server for processing, incurring intolerable costs of data transmission, data storage, and computation. Second, they adopt either rule-based techniques that cannot detect unknown threats, or anomaly-detection techniques that produce numerous false alarms, failing to achieve a balance of precision and recall in APT detection. To address these fundamental challenges, we propose DISTDET, a distributed detection system that detects APT attacks by (1) performing light weight detection based on the host model built in the client side, (2) filtering false alarms based on the semantics of the alarm proprieties, and (3) deriving global models to complement the local bias of the host models. Our experiments on a large-scale industrial environment (1,130 hosts, 14 days, similar to 1.6 billion events) and the DARPA TC dataset show that DISTDET is as effective as sate-of-the-art techniques in detecting attacks, while dramatically reducing network bandwidth from 11.28Mb/s to 17.08Kb/S (676.5x reduction), memory usages from 364MB to 5.523MB (66x reduction), and storage from 1.47GB to 130.34MB (11.6x reduction). By the time of this writing, DISTDET has been deployed to 50+ industry customers with 22,000+ hosts for more than 6 months, and identified over 900 real-world attacks.

Weijie Liu,Ximeng Liu,Zhi Li,Bin Liu,Rongwei Yu,Lina Wang

DOI: https://doi.org/10.1109/tifs.2022.3183409

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Cloud attack provenance is a well-established industrial practice for assuring transparency and accountability for a service provider to tenants. However, the multi-tenancy and self-service nature coupled with the sheer size of a cloud implies many unique challenges to cloud forensics. Although Virtual Machine Introspection (VMI) is a powerful tool for attack provenance due to the privilege isolation, the stealthiness of state-of-the-art attacks and the lack of precise information make existing attack provenance solutions difficult to fulfill real-time forensics when tracking enormous suspicious behaviors. To this end, we propose an instruction-level tracing framework for inspecting the presence of attacks by dynamically tracking shared processor hardware event patterns and analyzing the attack traces. To overcome the challenges of real-time detection and provenance, we advocate Last Branch Record (LBR) profiling, to extract the suspicious execution flows. With the hardware assistance and software-based virtualization introspection, we show that the framework can provide an effective response to threats in different cases, thereby enabling a quick attack provenance with high fidelity. The evaluation shows that our prototype introduces negligible performance penalties.

Nanda Rani,Bikash Saha,Vikas Maurya,Sandeep Kumar Shukla

2024-09-25

Abstract:The current state of Advanced Persistent Threats (APT) attribution primarily relies on time-consuming manual processes. These include mapping incident artifacts onto threat attribution frameworks and employing expert reasoning to uncover the most likely responsible APT groups. This research aims to assist the threat analyst in the attribution process by presenting an attribution method named CAPTAIN (Comprehensive Advanced Persistent Threat AttrIbutioN). This novel APT attribution approach leverages the Tactics, Techniques, and Procedures (TTPs) employed by various APT groups in past attacks. CAPTAIN follows two significant development steps: baseline establishment and similarity measure for attack pattern matching. This method starts by maintaining a TTP database of APTs seen in past attacks as baseline behaviour of threat groups. The attribution process leverages the contextual information added by TTP sequences, which reflects the sequence of behaviours threat actors demonstrated during the attack on different kill-chain stages. Then, it compares the provided TTPs with established baseline to identify the most closely matching threat group. CAPTAIN introduces a novel similarity measure for APT group attack-pattern matching that calculates the similarity between TTP sequences. The proposed approach outperforms traditional similarity measures like Cosine, Euclidean, and Longest Common Subsequence (LCS) in performing attribution. Overall, CAPTAIN performs attribution with the precision of 61.36% (top-1) and 69.98% (top-2), surpassing the existing state-of-the-art attribution methods.

Cryptography and Security

Yulai Xie,Dan Feng,Zhipeng Tan,Junzhe Zhou

DOI: https://doi.org/10.1016/j.future.2016.02.005

IF: 7.307

2016-01-01

Future Generation Computer Systems

Abstract:The existing host-based intrusion detection methods are mainly based on recording and analyzing the system calls of the invasion processes (such as exploring the sequences of system calls and their occurring probabilities). However, these methods are not efficient enough on the detection precision as they do not reveal the inherent intrusion events in detail (e.g., where are the system vulnerabilities and what causes the invasion are both not mentioned). On the other hand, though the log-based forensic analysis can enhance the understanding of how these invasion processes break into the system and what files are affected by them, it is a very cumbersome process to manually acquire information from logs which consist of the users' normal behavior and intruders' illegal behavior together.This paper proposes to use provenance, the history or lineage of an object that explicitly represents the dependency relationship between the damaged files and the intrusion processes, rather than the underlying system calls, to detect and analyze intrusions. Provenance more accurately reveals and records the data and control flow between files and processes, reducing the potential false alarm caused by system call sequences. Moreover, the warning report during intrusion call explicitly output system vulnerabilities and intrusion sources, and provide detection points for further provenance graph based forensic analysis. Experimental results show that this framework call identify the intrusion with high detection rate, lower false alarm rate, and smaller detection time overhead compared to traditional system call based method. In addition, it can analyze the system vulnerabilities and attack sources quickly and accurately. (C) 2016 Elsevier B.V. All rights reserved.

Zijun Cheng,Qiujian Lv,Jinyuan Liang,Yan Wang,Degang Sun,Thomas Pasquier,Xueyuan Han

DOI: https://doi.org/10.1109/sp54263.2024.00005

2024-01-01

Abstract:Provenance graphs are structured audit logs that describe the history of a system's execution. Recent studies have explored a variety of techniques to analyze provenance graphs for automated host intrusion detection, focusing particularly on advanced persistent threats. Sifting through their design documents, we identify four common dimensions that drive the development of provenance-based intrusion detection systems (PIDSes): scope (can PIDSes detect modern attacks that infiltrate across application boundaries?), attack agnosticity (can PIDSes detect novel attacks without a priori knowledge of attack characteristics?), timeliness (can PIDSes efficiently monitor host systems as they run?), and attack reconstruction (can PIDSes distill attack activity from large provenance graphs so that sysadmins can easily understand and quickly respond to system intrusion?). We present KAIROS, the first PIDS that simultaneously satisfies the desiderata in all four dimensions, whereas existing approaches sacrifice at least one and struggle to achieve comparable detection performance. Kairos leverages a novel graph neural network-based encoder-decoder architecture that learns the temporal evolution of a provenance graph's structural changes to quantify the degree of anomalousness for each system event. Then, based on this fine-grained information, Kairos reconstructs attack footprints, generating compact summary graphs that accurately describe malicious activity over a stream of system audit logs. Using state-of-the-art benchmark datasets, we demonstrate that Kairos outperforms previous approaches.

Shaofei Li,Feng Dong,Xusheng Xiao,Haoyu Wang,Fei Shao,Jiedong Chen,Yao Guo,Xiangqun Chen,Ding Li

DOI: https://doi.org/10.14722/ndss.2024.23204

2023-11-04

Abstract:Advanced Persistent Threats (APT) attacks have plagued modern enterprises, causing significant financial losses. To counter these attacks, researchers propose techniques that capture the complex and stealthy scenarios of APT attacks by using provenance graphs to model system entities and their dependencies. Particularly, to accelerate attack detection and reduce financial losses, online provenance-based detection systems that detect and investigate APT attacks under the constraints of timeliness and limited resources are in dire need. Unfortunately, existing online systems usually sacrifice detection granularity to reduce computational complexity and produce provenance graphs with more than 100,000 nodes, posing challenges for security admins to interpret the detection results. In this paper, we design and implement NodLink, the first online detection system that maintains high detection accuracy without sacrificing detection granularity. Our insight is that the APT attack detection process in online provenance-based detection systems can be modeled as a Steiner Tree Problem (STP), which has efficient online approximation algorithms that recover concise attack-related provenance graphs with a theoretically bounded error. To utilize STP approximation algorithm frameworks for APT attack detection, we propose a novel design of in-memory cache, an efficient attack screening method, and a new STP approximation algorithm that is more efficient than the conventional one in APT attack detection while maintaining the same complexity. We evaluate NodLink in a production environment. The open-world experiment shows that NodLink outperforms two state-of-the-art (SOTA) online provenance analysis systems by achieving magnitudes higher detection and investigation accuracy while having the same or higher throughput.

Cryptography and Security

Fan Shen,Zhiyuan Liu,Levi Perigo

DOI: https://doi.org/10.14569/ijacsa.2023.0140303

IF: 0.9

2023-01-01

International Journal of Advanced Computer Science and Applications

Abstract:Advanced Persistent Threats (APT) are a type of sophisticated multistage cyber attack, and the defense against APT is challenging. Existing studies apply signature-based or behavior-based methods to analyze monitoring data to detect APT, but little research has been dedicated to the important problem of addressing APT detection with limited resources. In order to maintain the primary functionality of a system, the resources allocated for security purposes, for example logging and examining the behavior of a system, are usually constrained. Therefore, when facing multiple simultaneous powerful cyber attacks like APT, the allocation of limited security resources becomes critical. The research in this paper focuses on the threat model where multiple simultaneous APT attacks exist in the defender's system, but the defender does not have sufficient monitoring resources to check every running process. To capture the footprint of multistage activities including APT attacks and benign activities, this work leverages the provenance graph which is constructed based on dependencies of processes. Furthermore, this work studies the monitoring strategy to efficiently detect APT attacks from incomplete information of paths on the provenance graph, by considering both the "exploitation" effect and the "exploration" effect. The contributions of this work are two-fold. First, it extends the classic UCB algorithm in the domain of the multi-armed bandit problem to solve cyber security problems, and proposes to use the malevolence value of a path, which is generated by a novel LSTM neural network as the exploitation term. Second, the consideration of "exploration" is innovative in the detection of APT attacks with limited monitoring resources. The experimental results show that the use of the LSTM neural network is beneficial to enforce the exploitation effect as it satisfies the same property as the exploitation term in the classic UCB algorithm and that by using the proposed monitoring strategy, multiple simultaneous APT attacks are detected more efficiently than using the random strategy and the greedy strategy, regarding the time needed to detect same number of APT attacks.

Jie Ying,Tiantian Zhu,Wenrui Cheng,Qixuan Yuan,Mingjun Ma,Chunlin Xiong,Tieming Chen,Mingqi Lv,Yan Chen

2024-05-04

Abstract:As the complexity and destructiveness of Advanced Persistent Threat (APT) increase, there is a growing tendency to identify a series of actions undertaken to achieve the attacker's target, called attack investigation. Currently, analysts construct the provenance graph to perform causality analysis on Point-Of-Interest (POI) event for capturing critical events (related to the attack). However, due to the vast size of the provenance graph and the rarity of critical events, existing attack investigation methods suffer from problems of high false positives, high overhead, and high latency. To this end, we propose SPARSE, an efficient and real-time system for constructing critical component graphs (i.e., consisting of critical events) from streaming logs. Our key observation is 1) Critical events exist in a suspicious semantic graph (SSG) composed of interaction flows between suspicious entities, and 2) Information flows that accomplish attacker's goal exist in the form of paths. Therefore, SPARSE uses a two-stage framework to implement attack investigation (i.e., constructing the SSG and performing path-level contextual analysis). First, SPARSE operates in a state-based mode where events are consumed as streams, allowing easy access to the SSG related to the POI event through semantic transfer rule and storage strategy. Then, SPARSE identifies all suspicious flow paths (SFPs) related to the POI event from the SSG, quantifies the influence of each path to filter irrelevant events. Our evaluation on a real large-scale attack dataset shows that SPARSE can generate a critical component graph (~ 113 edges) in 1.6 seconds, which is 2014 X smaller than the backtracking graph (~ 227,589 edges). SPARSE is 25 X more effective than other state-of-the-art techniques in filtering irrelevant edges.

Cryptography and Security