Zijun Cheng,Rujie Dai,Leiqi Wang,Ziyang Yu,Qiujian Lv,Yan Wang,Degang Sun

DOI: https://doi.org/10.1109/CSCWD57460.2023.10152818

2023-01-01

Abstract:Threat hunting is the process of proactively searching for known attack behavior in an organization’s information system. A popular approach to threat hunting uses cyber threat intelligence (CTI) to identify advanced persistent threats (APTs) that are hidden in kernel-level audit logs (e.g., whole-system data provenance). However, existing threat hunting mechanisms can-not produce timely results due to the enormous size of provenance data. As a result, threat hunting cannot help sysadmins to quickly recognize an ongoing APT campaign and immediately block any subsequent attack activity. In this paper, we propose GHunter, a system that performs approximate subgraph matching using graph neural networks (GNNs) to quickly and accurately hunt APTs. GHunter first converts known APT scenarios and provenance logs into graph data. Then, GHunter uses GNNs to embed APT scenario graphs and provenance graphs to discover any subgraph relationships. If an APT scenario graph is a subgraph of a provenance graph, GHunter alerts to sysadmins the presence of the corresponding APT scenario in the system. We use DARPA’s Transparent Computing (TC) datasets to evaluate GHunter’s performance. The results show that GHunter achieves 97% accuracy when hunting APTs from millions of provenance log entries and spends 195x less execution time than prior work.

Rui Wen,Jianyu Wang,Chunming Wu,Jian Xiong

DOI: https://doi.org/10.1145/3366424.3391266

2020-01-01

Abstract:Given a large graph with millions of vertices and different types, how can we spot anomalies and find potential adversaries in time? Most graph-based fraud detection algorithms focus on finding dense blocks, discovering local subgraphs, designing belief propagation, and latent factor models. However, as fraudsters in online social networks gradually become adversarial, distributed, and invisible, it is easy for them to evade traditional detection methods. Even worse, existing detection systems are fragile to the new attacks. Once attackers update their tragedies, they will be inefficient. Our focus is to detect potential adversaries as soon as possible. We design and propose ASA (Adversary Situation Awareness), a system that (a) uncovers potential adversaries in time, (b) utilizes heterogeneous information in the graph, and (c)is effective in real-world data. We do experiments on a heterogeneous graph including 198,541 nodes with five types and 224,384 edges. The result shows that ASA can spot potential adversaries and successfully recovers 60 of potential abnormal users within a few minutes. Additionally, after two months we deployed it, ASA could achieve 90 recall, which means ASA can well discover a small number of adversaries with a latent period in time.

Tieming Chen,Chengyu Dong,Mingqi Lv,Qijie Song,Haiwen Liu,Tiantian Zhu,Kang Xu,Ling Chen,Shouling Ji,Yuan Fan

DOI: https://doi.org/10.1109/tdsc.2022.3229472

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:APTs (Advanced Persistent Threats) have caused serious security threats worldwide. Most existing APT detection systems are implemented based on sophisticated forensic analysis rules. However, the design of these rules requires in-depth domain knowledge and the rules lack generalization ability. On the other hand, deep learning technique could automatically create detection model from training samples with little domain knowledge. However, due to the persistence, stealth, and diversity of APT attacks, deep learning technique suffers from a series of problems including difficulties of capturing contextual information, low scalability, dynamic evolving of training samples, and scarcity of training samples. Aiming at these problems, this paper proposes APT-KGL, an intelligent APT detection system based on provenance data and graph neural networks. First, APT-KGL models the system entities and their contextual information in the provenance data by a HPG (Heterogeneous Provenance Graph), and learns a semantic vector representation for each system entity in the HPG in an offline way. Then, APT-KGL performs online APT detection by sampling a small local graph from the HPG and classifying the key system entities as malicious or benign. In addition, to conquer the difficulty of collecting training samples of APT attacks, APT-KGL creates virtual APT training samples from open threat knowledge in a semi-automatic way. We conducted a series of experiments on two provenance datasets with simulated APT attacks. The experiment results show that APT-KGL outperforms other current deep learning based models, and has competitive performance against state-of-the-art rule-based APT detection systems.

Jian Liu,Junjie Yan,Zhengwei Jiang,Xuren Wang,Jun Jiang

DOI: https://doi.org/10.1109/globecom48099.2022.10001525

2022-01-01

Abstract:System audit logs are widely adopted in enterprise security by their support for causality analysis that generates provenance graphs to investigate advanced attacks. However, detecting attack activity in the overwhelming amount of logs is like looking for a needle in a haystack, which slows down the speed of attack investigation. In this paper, we propose an automated approach for attack detection and investigation by learning the contextual semantics of the provenance graph. Our framework uncovers the semantics of the attack events through the structural context of audit logs. Further, an attention-based graph convolutional neural network is utilized to capture the structural identity associated with the attack path. It is important to note that when inferring whether a specific system node is malicious or not, our approach optimizes the provenance subgraph generated for that node without destroying its contextual semantics. The discovered attack nodes are correlated chronologically for attack investigation and scenario reconstruction. Our approach is evaluated on a real-world Advanced Persistent Threats (APT) dataset. The results show that our approach has a high F1 score (95.97%) for identifying attack nodes in audit logs and speeds up the process of attack investigation (reducing the analysis workload by 91.24%).

Mai Ye,Shiming Men,Lei Xie,Bing Chen

DOI: https://doi.org/10.1145/3605801.3605807

2023-01-01

Abstract:APT(Advanced Persistent Threat) are known for their stealth, persistence, and sophistication, often carried out by skilled and well-funded attackers. To detect and investigate APT attacks at the host-level, scholars have extensively studied the provenance graph, which preserves the complete attack context. However, existing methods have impractical requirements for data collection and threshold setting, severely impacting their real-world performance. In this paper, we propose GCA (Graph Competitive Autoencoder), a GNN-based graph-level anomaly detection system. We first extract entities and their interactions from host logs to construct a provenance graph. Subsequently, we utilize GNN (Graph Neural Network) as a graph encoder to obtain graph-level embeddings. In the anomaly detection part, we use the competitive autoencoder and mutual information maximization to identify the attack graph. With this model, we can conduct graph-level anomaly detection even when the training data is partially contaminated, without manually setting the threshold. We deploy and evaluate our model on the public dataset StreamSpot. Our results show that GCA outperforms existing methods in terms of accuracy and practicality.

Han Liu,Yuntao Wang,Zhou Su,Zixuan Wang,Yanghe Pan,Ruidong Li

DOI: https://doi.org/10.1109/icc51166.2024.10623080

2024-01-01

Abstract:Provenance graph-based auditing offers a promising direction for APT (Advanced Persistent Threat) detection with traceability guarantees. However, most of the existing methods are based on host-level causality analysis, which is ineffective in practical APT scenarios when well-organized adversaries exploit lateral movement attacks (e.g., multi-level proxies) across multiple compromised hosts. To bridge the research gap, this paper proposes a collaborative APT detection and tracing frame-work (TRACEGADGET) based on federal provenance graphs. TRACEGADGET can efficiently reveal the whole trace of APT lateral movements through the interactions between hosts in Intranet. Specifically, the proposed framework 1) characterizes the relevance weights of all events in the given provenance graph in comparison to the POI (Point of Interest) events, 2) identifies the network entries rankings of the POI events through backward trace analysis, 3) reveals the evolution of the alarm events and confirms the network exit of penetration chain through forward propagation, and 4) aligns the network entries and network exits to derive the complete path of the lateral movement attack. Finally, we construct a dataset consisting of 280,000 edges and more than 90,000 entities through ten sets of real APT attacks. We demonstrate the feasibility and effectiveness of the proposed framework in recovering APT attack links at the network level. Particularly, TRACEGADGET achieves 100% APT path reconstruction with high robustness in all the experiments.

Nan Wang,Xuezhi Wen,Dalin Zhang,Xibin Zhao,Jiahui Ma,Mengxia Luo,Sen Nie,Shi Wu,Jiqiang Liu

2023-04-06

Abstract:APT detection is difficult to detect due to the long-term latency, covert and slow multistage attack patterns of Advanced Persistent Threat (APT). To tackle these issues, we propose TBDetector, a transformer-based advanced persistent threat detection method for APT attack detection. Considering that provenance graphs provide rich historical information and have the powerful attacks historic correlation ability to identify anomalous activities, TBDetector employs provenance analysis for APT detection, which summarizes long-running system execution with space efficiency and utilizes transformer with self-attention based encoder-decoder to extract long-term contextual features of system states to detect slow-acting attacks. Furthermore, we further introduce anomaly scores to investigate the anomaly of different system states, where each state is calculated with an anomaly score corresponding to its similarity score and isolation score. To evaluate the effectiveness of the proposed method, we have conducted experiments on five public datasets, i.e., streamspot, cadets, shellshock, clearscope, and wget_baseline. Experimental results and comparisons with state-of-the-art methods have exhibited better performance of our proposed method.

Cryptography and Security,Artificial Intelligence,Machine Learning

Zian Jia,Yun Xiong,Yuhong Nan,Yao Zhang,Jinjing Zhao,Mi Wen

2023-10-15

Abstract:Advance Persistent Threats (APTs), adopted by most delicate attackers, are becoming increasing common and pose great threat to various enterprises and institutions. Data provenance analysis on provenance graphs has emerged as a common approach in APT detection. However, previous works have exhibited several shortcomings: (1) requiring attack-containing data and a priori knowledge of APTs, (2) failing in extracting the rich contextual information buried within provenance graphs and (3) becoming impracticable due to their prohibitive computation overhead and memory consumption. In this paper, we introduce MAGIC, a novel and flexible self-supervised APT detection approach capable of performing multi-granularity detection under different level of supervision. MAGIC leverages masked graph representation learning to model benign system entities and behaviors, performing efficient deep feature extraction and structure abstraction on provenance graphs. By ferreting out anomalous system behaviors via outlier detection methods, MAGIC is able to perform both system entity level and batched log level APT detection. MAGIC is specially designed to handle concept drift with a model adaption mechanism and successfully applies to universal conditions and detection scenarios. We evaluate MAGIC on three widely-used datasets, including both real-world and simulated attacks. Evaluation results indicate that MAGIC achieves promising detection results in all scenarios and shows enormous advantage over state-of-the-art APT detection approaches in performance overhead.

Cryptography and Security,Machine Learning

Bin Luo,Liangguo Chen,Shuhua Ruan,Yonggang Luo

DOI: https://doi.org/10.32604/cmc.2023.045739

2024-01-01

Abstract:Considering the stealthiness and persistence of Advanced Persistent Threats (APTs), system audit logs are leveraged in recent studies to construct system entity interaction provenance graphs to unveil threats in a host. Rule-based provenance graph APT detection approaches require elaborate rules and cannot detect unknown attacks, and existing learning-based approaches are limited by the lack of available APT attack samples or generally only perform graph-level anomaly detection, which requires lots of manual efforts to locate attack entities. This paper proposes an APT-exploited process detection approach called ThreatSniffer, which constructs the benign provenance graph from attack-free audit logs, fits normal system entity interactions and then detects APT-exploited processes by predicting the rationality of entity interactions. Firstly, ThreatSniffer understands system entities in terms of their file paths, interaction sequences, and the number distribution of interaction types and uses the multi-head self-attention mechanism to fuse these semantics. Then, based on the insight that APT-exploited processes interact with system entities they should not invoke, ThreatSniffer performs negative sampling on the benign provenance graph to generate non-existent edges, thus characterizing irrational entity interactions without requiring APT attack samples. At last, it employs a heterogeneous graph neural network as the interaction prediction model to aggregate the contextual information of entity interactions, and locate processes exploited by attackers, thereby achieving fine-grained APT detection. Evaluation results demonstrate that anomaly-based detection enables ThreatSniffer to identify all attack activities. Compared to the node-level APT detection method APT-KGL, ThreatSniffer achieves a 6.1% precision improvement because of its comprehensive understanding of entity semantics.

computer science, information systems,materials science, multidisciplinary

Ruozhou LIANG,Yue GAO,Xibin ZHAO

DOI: https://doi.org/10.1360/ssi-2021-0252

2021-01-01

Scientia Sinica Informationis

Abstract:Advanced persistent threat (APT) in real scenes, especially in industrial scenes, is complex and long term, but the current methods cannot effectively extract the long term relationship in the attack. An attack detection method with provenance graphs, called SeqNet, is proposed. SeqNet uses sequence feature extraction to detect APT attacks. In SeqNet, the provenance graph sequence describing the running state of the system is transformed into the feature sequence first, and then the gate recurrent unit (GRU) model is used to extract the feature of the system. The encoder-decoder model with the local attention mechanism is used to train the GRU model. Finally, the K-means clustering method is used to model the normal behavior of the system. In this study, experiments are carried out on five public datasets, such as StreamSpot, wget, shellshock, ClearScope, and CADETS, compared with the state-of-the-art methods. The method used here achieves similar or improved results on all five datasets. Experimental results show that the proposed method can detect real-life APT scenarios.

Han Yu,Aiping Li,Rong Jiang

DOI: https://doi.org/10.1109/icct46805.2019.8947201

2019-01-01

Abstract:In this paper, we present a system NeedleHunter to detect Advanced and Persistent Threats (APTs) and reconstruction of attack scenarios. Due to the information asymmetry between attackers and defenders, detecting APT attacks remains to be a challenge. Instead of targeting individual exploits, correlating the various stages of the attack is a substantially more feasible strategy. In our approach, we first construct a version-based provenance graph by analyzing system audit logs. Then, we use the rule-based technique to detection a particular stage of the attack, and connect these attacks to generate an attack path by leveraging the correlation between information flows. Also, we implement the compaction technique to compress the scale of the graph for scalable forensic analysis. An evaluation of our approach indicates that NeedleHunter can capture the key stages of APT campaigns with high precision and reconstruct the details of the attacks.

Zian Jia,Xiaosu Wang,Yun Xiong,Yao Zhang,JinJing Zhao

DOI: https://doi.org/10.1109/dsc55868.2022.00056

2022-01-01

Abstract:Advanced Persistent Threats (APT) are difficult to detect and defend due to their high variability and concealment. Current APT detection and investigation approaches suffer from two major problems. First, most recent models heavily rely on heuristic rules derived from a large amount of expensive prior knowledge, which in turn prevents the models from generalizing to new types of APT attacks. Second, the development of existing fully supervised models is limited by the scarcity of APT attack data. In this paper, we first construct the provenance graph by introducing logical entities to reduce the dependency on prior knowledge. Then we propose a novel self-supervised representation-learning based model, AISLE, for the investigation of the APT attack, which consists of a graph structure encoder (GSE) and an entity interaction pattern encoder (IPE). The GSE employs a graph attention auto-encoder to effectively compress the structural information of the graph; and the IPE employs a LSTM auto-encoder to extract the interaction patterns of entities from their interaction history. The two entity embeddings calculated respectively by the two auto-encoders are concatenated to form the final representation of the entity, which is evaluated by the attack investigation module to identify attack entities. Our model is evaluated on ten real-world APT attacks in a realistic virtual environment. The results show that our model can achieve superior generalization ability and consistently outperform the latest state-of-the-art APT attack investigation approaches.

Zitong Li,Xiang Cheng,Lixiao Sun,Ji Zhang,Bing Chen

DOI: https://doi.org/10.1155/2021/9961342

IF: 1.968

2021-05-04

Security and Communication Networks

Abstract:Advanced Persistent Threats (APTs) are the most sophisticated attacks for modern information systems. Currently, more and more researchers begin to focus on graph-based anomaly detection methods that leverage graph data to model normal behaviors and detect outliers for defending against APTs. However, previous studies of provenance graphs mainly concentrate on system calls, leading to difficulties in modeling network behaviors. Coarse-grained correlation graphs depend on handcrafted graph construction rules and, thus, cannot adequately explore log node attributes. Besides, the traditional Graph Neural Networks (GNNs) fail to consider meaningful edge features and are difficult to perform heterogeneous graphs embedding. To overcome the limitations of the existing approaches, we present a hierarchical approach for APT detection with novel attention-based GNNs. We propose a metapath aggregated GNN for provenance graph embedding and an edge enhanced GNN for host interactive graph embedding; thus, APT behaviors can be captured at both the system and network levels. A novel enhancement mechanism is also introduced to dynamically update the detection model in the hierarchical detection framework. Evaluations show that the proposed method outperforms the state-of-the-art baselines in APT detection.

computer science, information systems,telecommunications

Mingqi Lv,HongZhe Gao,Xuebo Qiu,Tieming Chen,Tiantian Zhu,Jinyin Chen,Shouling Ji

DOI: https://doi.org/10.1145/3658644.3690221

2024-09-11

Abstract:APT (Advanced Persistent Threat) with the characteristics of persistence, stealth, and diversity is one of the greatest threats against cyber-infrastructure. As a countermeasure, existing studies leverage provenance graphs to capture the complex relations between system entities in a host for effective APT detection. In addition to detecting single attack events as most existing work does, understanding the tactics / techniques (e.g., Kill-Chain, ATT&CK) applied to organize and accomplish the APT attack campaign is more important for security operations. Existing studies try to manually design a set of rules to map low-level system events to high-level APT tactics / techniques. However, the rule based methods are coarse-grained and lack generalization ability, thus they can only recognize APT tactics and cannot identify fine-grained APT techniques and mutant APT attacks. In this paper, we propose TREC, the first attempt to recognize APT tactics / techniques from provenance graphs by exploiting deep learning techniques. To address the "needle in a haystack" problem, TREC segments small and compact subgraphs covering individual APT technique instances from a large provenance graph based on a malicious node detection model and a subgraph sampling algorithm. To address the "training sample scarcity" problem, TREC trains the APT tactic / technique recognition model in a few-shot learning manner by adopting a Siamese neural network. We evaluate TREC based on a customized dataset collected and made public by our team. The experiment results show that TREC significantly outperforms state-of-the-art systems in APT tactic recognition and TREC can also effectively identify APT techniques.

Cryptography and Security,Machine Learning

Fan Shen,Zhiyuan Liu,Levi Perigo

DOI: https://doi.org/10.14569/ijacsa.2023.0140303

IF: 0.9

2023-01-01

International Journal of Advanced Computer Science and Applications

Abstract:Advanced Persistent Threats (APT) are a type of sophisticated multistage cyber attack, and the defense against APT is challenging. Existing studies apply signature-based or behavior-based methods to analyze monitoring data to detect APT, but little research has been dedicated to the important problem of addressing APT detection with limited resources. In order to maintain the primary functionality of a system, the resources allocated for security purposes, for example logging and examining the behavior of a system, are usually constrained. Therefore, when facing multiple simultaneous powerful cyber attacks like APT, the allocation of limited security resources becomes critical. The research in this paper focuses on the threat model where multiple simultaneous APT attacks exist in the defender's system, but the defender does not have sufficient monitoring resources to check every running process. To capture the footprint of multistage activities including APT attacks and benign activities, this work leverages the provenance graph which is constructed based on dependencies of processes. Furthermore, this work studies the monitoring strategy to efficiently detect APT attacks from incomplete information of paths on the provenance graph, by considering both the "exploitation" effect and the "exploration" effect. The contributions of this work are two-fold. First, it extends the classic UCB algorithm in the domain of the multi-armed bandit problem to solve cyber security problems, and proposes to use the malevolence value of a path, which is generated by a novel LSTM neural network as the exploitation term. Second, the consideration of "exploration" is innovative in the detection of APT attacks with limited monitoring resources. The experimental results show that the use of the LSTM neural network is beneficial to enforce the exploitation effect as it satisfies the same property as the exploitation term in the classic UCB algorithm and that by using the proposed monitoring strategy, multiple simultaneous APT attacks are detected more efficiently than using the random strategy and the greedy strategy, regarding the time needed to detect same number of APT attacks.

Yuntao Wang,Han Liu,Zhendong Li,Zhou Su,Jiliang Li

DOI: https://doi.org/10.1109/MNET.2024.3389734

2024-04-12

Abstract:The rise of advanced persistent threats (APTs) has marked a significant cybersecurity challenge, characterized by sophisticated orchestration, stealthy execution, extended persistence, and targeting valuable assets across diverse sectors. Provenance graph-based kernel-level auditing has emerged as a promising approach to enhance visibility and traceability within intricate network environments. However, it still faces challenges including reconstructing complex lateral attack chains, detecting dynamic evasion behaviors, and defending smart adversarial subgraphs. To bridge the research gap, this paper proposes an efficient and robust APT defense scheme leveraging provenance graphs, including a network-level distributed audit model for cost-effective lateral attack reconstruction, a trust-oriented APT evasion behavior detection strategy, and a hidden Markov model based adversarial subgraph defense approach. Through prototype implementation and extensive experiments, we validate the effectiveness of our system. Lastly, crucial open research directions are outlined in this emerging field.

Cryptography and Security

Abdullah Said AL-Aamri,Rawad Abdulghafor,Sherzod Turaev,Imad Al-Shaikhli,Akram Zeki,Shuhaili Talib

DOI: https://doi.org/10.3390/su151813820

IF: 3.9

2023-09-17

Sustainability

Abstract:Nowadays, countries face a multitude of electronic threats that have permeated almost all business sectors, be it private corporations or public institutions. Among these threats, advanced persistent threats (APTs) stand out as a well-known example. APTs are highly sophisticated and stealthy computer network attacks meticulously designed to gain unauthorized access and persist undetected threats within targeted networks for extended periods. They represent a formidable cybersecurity challenge for governments, corporations, and individuals alike. Recognizing the gravity of APTs as one of the most critical cybersecurity threats, this study aims to reach a deeper understanding of their nature and propose a multi-stage framework for automated APT detection leveraging time series data. Unlike previous models, the proposed approach has the capability to detect real-time attacks based on stored attack scenarios. This study conducts an extensive review of existing research, identifying its strengths, weaknesses, and opportunities for improvement. Furthermore, standardized techniques have been enhanced to enhance their effectiveness in detecting APT attacks. The learning process relies on datasets sourced from various channels, including journal logs, traceability audits, and systems monitoring statistics. Subsequently, an efficient APT detection and prevention system, known as the composition-based decision tree (CDT), has been developed to operate in complex environments. The obtained results demonstrate that the proposed approach consistently outperforms existing algorithms in terms of detection accuracy and effectiveess.

environmental sciences,environmental studies,green & sustainable science & technology

Gil Shenderovitz,Nir Nissim

DOI: https://doi.org/10.1016/j.cose.2024.103862

IF: 5.105

2024-04-26

Computers & Security

Abstract:Advanced Persistent Threats (APTs) are highly sophisticated cyberattacks that are aimed at achieving strategic goals and are usually backed by a well-funded entity. In this paper, we tackle the challenges of detecting and attributing APTs by proposing Bon-APT, a temporal learning method that analyzes and segment the occurrences of API calls invoked during the dynamic analysis of the examined PE. Those segments can be used to profile the temporal behavior of an APT, provide insights into its modus operandi, and induce an accurate machine-learning based model for the detection and attribution of APTs. Moreover, Bon-APT provides a human comprehensible explainability regarding the relations among segments as well as the behavior of the APT in each of them. This not only improves transparency and reliability from a human expert perspective, but it can also enrich the security experts with new knowledge regarding APTs' behavior. To evaluate Bon-APT, we built a unique collection of 12,655 APTs, belonging to 188 different cyber-groups and 17 different nations, which, to the best of our knowledge, is the largest collection of its kind. We conducted four experiments to evaluate the proposed method and compared its performance to the performance of state-of-the-art methods on the tasks of APT detection and authorship attribution (for both group and nation). Bon-APT achieved promising results in each of the tasks while outperforming the state-of-the-art methods. Bon-APT also provides a simple and concise explanation regarding its decisions and the APT behavior, as well as an easy, straightforward visual and quantitative behavioral comparison.

computer science, information systems

Abdulellah Alsaheel,Yuhong Nan,Shiqing Ma,Le Yu,Gregory Walkup,Z. Berkay Celik,Xiangyu Zhang,Dongyan Xu

2021-01-01

Abstract:Advanced Persistent Threats (APT) involve multiple attack steps over a long period, and their investigation requires analysis of myriad logs to identify their attack steps, which are a set of activities undertaken to run an APT attack. However, on a daily basis in an enterprise, intrusion detection systems generate many threat alerts of suspicious events (attack symptoms). Cyber analysts must investigate such events to determine whether an event is a part of an attack. With many alerts to investigate, cyber analysts often end up with alert fatigue, causing them to ignore a large number of alerts and miss true attack events. In this paper, we present ATLAS, a framework that constructs an end-to-end attack story from off-the-shelf audit logs. Our key observation is that different attacks may share similar abstract attack strategies, regardless of the vulnerabilities exploited and payloads executed. ATLAS leverages a novel combination of causality analysis, natural language processing, and machine learning techniques to build a sequence-based model, which establishes key patterns of attack and non-attack behaviors from a causal graph. At inference time, given a threat alert event, an attack symptom node in a causal graph is identified. ATLAS then constructs a set of candidate sequences associated with the symptom node, uses the sequence-based model to identify nodes in a sequence that contribute to the attack, and unifies the identified attack nodes to construct an attack story. We evaluated ATLAS with ten real-world APT attacks executed in a realistic virtual environment. ATLAS recovers attack steps and construct attack stories with an average of 91.06% precision, 97.29% recall, and 93.76% F1-score. Through this effort, we provide security investigators with a new means of identifying the attack events that make up the attack story.

Haitian Liu,Rong Jiang

DOI: https://doi.org/10.3390/electronics12081849

IF: 2.9

2023-04-14

Electronics

Abstract:In recent years, complex multi-stage cyberattacks have become more common, for which audit log data are a good source of information for online monitoring. However, predicting cyber threat events based on audit logs remains an open research problem. This paper explores advanced persistent threat (APT) audit log information and uses a combination of causal graphs and deep learning techniques to perform predictive analysis of APT. The study focuses on two different methods of constructing malicious activity scenarios, including those based on malicious entity evolving graphs and malicious entity neighborhood graphs. Deep learning networks are then utilized to learn from past malicious activity scenarios and predict specific malicious attack events. To validate the effectiveness of this approach, audit log data published by DARPA's Transparent Computing Program and restored by ATLAS are used to demonstrate the confidence of the prediction results and recommend the most effective malicious event prediction by Top-N.

engineering, electrical & electronic,computer science, information systems,physics, applied