ConLBS: An Attack Investigation Approach Using Contrastive Learning with Behavior Sequence
Author:
Li Jiawei1ORCID, Zhang Ru1, Liu Jianyi1
Affiliation:
1. School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876, China
Abstract
Attack investigation is an important research field in forensics analysis. Many existing supervised attack investigation methods rely on well-labeled data for effective training. While the unsupervised approach based on BERT can mitigate the issues, the high degree of similarity between certain real-world attacks and normal behaviors makes it challenging to accurately identify disguised attacks. This paper proposes ConLBS, an attack investigation approach that combines the contrastive learning framework and multi-layer transformer network to realize the classification of behavior sequences. Specifically, ConLBS constructs behavior sequences describing behavior patterns from audit logs, and a novel lemmatization strategy is proposed to map the semantics to the attack pattern layer. Four different augmentation strategies are explored to enhance the differentiation between attack and normal behavior sequences. Moreover, ConLBS can perform unsupervised representation learning on unlabeled sequences, and can be trained either supervised or unsupervised depending on the availability of labeled data. The performance of ConLBS is evaluated in two public datasets. The results show that ConLBS can effectively identify attack behavior sequences in the cases of unlabeled data or less labeled data to realize attack investigation, and can achieve superior effectiveness compared to existing methods and models.
Funder
National Natural Science Foundation of China
Subject
Electrical and Electronic Engineering,Biochemistry,Instrumentation,Atomic and Molecular Physics, and Optics,Analytical Chemistry
Reference33 articles.
1. A secure three-factor authentication scheme for IoT environments;Mirsaraei;J. Parallel Distrib. Comput.,2022 2. Milajerdi, S.M., Eshete, B., Gjomemo, R., and Venkatakrishnan, V.N. (2019, January 11–15). Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting. Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, London, UK. 3. Milajerdi, S.M., Gjomemo, R., Eshete, B., Sekar, R., and Venkatakrishnan, V.N. (2019, January 19–23). Holmes: Real-time apt detection through correlation of suspicious information flows. Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA. 4. Zeng, J., Chua, Z.L., Chen, Y., Ji, K., Liang, Z., and Mao, J. (2021, January 21–25). Watson: Abstracting behaviors from audit logs via aggregation of contextual semantics. Proceedings of the 28th Annual Network and Distributed System Security Symposium, NDSS, Online. 5. Gao, P., Shao, F., Liu, X., Xiao, X., Qin, Z., Xu, F., Mittal, P., Kulkarni, S.R., and Song, D. (2021, January 19–22). Enabling efficient cyber threat hunting with cyber threat intelligence. Proceedings of the 2021 IEEE 37th International Conference on Data Engineering (ICDE), Chania, Greece.
|
|