Abstract
AbstractAdvanced Persistent Threats (APTs) achieves internal networks penetration through multiple methods, making it difficult to detect attack clues solely through boundary defense measures. To address this challenge, some research has proposed threat detection methods based on provenance graphs, which leverage entity relationships such as processes, files, and sockets found in host audit logs. However, these methods are generally inefficient, especially when faced with massive audit logs and the computational resource-intensive nature of graph algorithms. Effectively and economically extracting APT attack clues from massive system audit logs remains a significant challenge. To tackle this problem, this paper introduces the ProcSAGE method, which detects threats based on abnormal behavior patterns, offering high accuracy, low cost, and independence from expert knowledge. ProcSAGE focuses on processes or threads in host audit logs during the graph construction phase to effectively control the scale of provenance graphs and reduce performance overhead. Additionally, in the feature extraction phase, ProcSAGE considers information about the processes or threads themselves and their neighboring nodes to accurately characterize them and enhance model accuracy. In order to verify the effectiveness of the ProcSAGE method, this study conducted a comprehensive evaluation on the StreamSpot dataset. The experimental results show that the ProcSAGE method can significantly reduce the time and memory consumption in the threat detection process while improving the accuracy, and the optimization effect becomes more significant as the data size expands.
Funder
Key Technologies Research and Development Program
Youth Innovation Promotion Association of the Chinese Academy of Sciences
the Strategic Priority Research Program of the Chinese Academy of Sciences
Foundation Strengthening Program Technical Area Fund
Science and Technology Foundation of State Grid Corporation of China
Publisher
Springer Science and Business Media LLC
Reference41 articles.
1. Alsaheel A, Nan Y, Ma S, Yu L, Walkup G, Celik ZB, Zhang X, Xu D (2021) A sequence-based learning approach for attack investigation. In: Proceedings of the 30th security symposium
2. Alshamrani A, Myneni S, Chowdhary A, Huang D (2019) A survey on advanced persistent threats: techniques, solutions, challenges, and research opportunities. IEEE Commun Surv Tutor 21(2):1851–1877
3. Altinisik E, Deniz F, Sencar HT (2023) Provg-searcher: a graph representation learning approach for efficient provenance graph search. In: Proceedings of the 2023 ACM SIGSAC conference on computer and communications security, pp 2247–2261
4. Binde B, McRee R, O’Connor TJ (2011) Assessing outbound traffic to uncover advanced persistent threat. SANS Institute. Whitepaper 16
5. Cheng Z, Lv Q, Liang J, Wang Y, Sun D, Pasquier T, Han X (2023) Kairos:: practical intrusion detection and investigation using whole-system provenance. arXiv preprint arXiv:2308.05034