An Attack Entity Deducing Model for Attack Forensics

TL;DR: An attack entity deduction model for attack forensics leveraging auxiliary strategies and dynamic word embeddings achieves high accuracy in recovering key attack steps and constructing attack stories.

Abstract: The forensics of Advanced Persistent Threat (APT) attacks, known for their prolonged duration and utilization of multiple attack methods, require extensive log analysis to discern their attack steps. Facing the massive amount of data, researchers have increasingly turned to extended machine learning methods to enhance attack forensics. However, the limited number of attack samples used for training and the inability of the data to accurately represent real-world scenarios pose significant challenges. To address these issues, we propose ASAI, an attack deduction model that leverages auxiliary strategies and dynamic word embeddings. Firstly, ASAI tackles the problem of data imbalance through a sequence sampling method enhanced by a custom auxiliary strategy. Subsequently, the sequences are transformed into dynamic vectors using dynamic word embedding. The model is trained to capture the spatio-temporal characteristics of entities under diverse contextual conditions by employing these dynamic vectors. In this paper, ASAI is evaluated using ten real-world APT attacks executed within an actual virtual environment. The results demonstrate ASAI's ability to successfully recover the key steps of the attacks and construct attack stories, achieving an impressive F1 score of up to 99.70%-a significant 16.98% improvement over the baseline which uses one-hot embedding after resample.