Journal Article10.1109/isctis58954.2023.10213187
APT Attack Investigation via Fine-grained Sequence Construction and Learning
Tianqi Wu,Zhuo Lv,Daojuan Zhang,Kexiang Qian,Ming Wang +4 more
- 07 Jul 2023
pp 317-322
TL;DR: This work proposes a new APT attack investigation approach based on fine-grained sequence construction and learning, built upon the ATLAS framework, and constructs more attack sequences with a finer granularity.
read more
Abstract: APT attack investigation aims to provide the security investigators a causal subgraph of the whole causal graph, so that they can easily analyze attacks. However, existing methods either output subgraphs that miss critical attack steps, or are too large and thus challenging to utilize. To address these limitations, we propose a new APT attack investigation approach based on fine-grained sequence construction and learning. Specifically, our approach is built upon the ATLAS framework, and constructs more attack sequences with a finer granularity. It then learns the attack behavior patterns from these constructed sequences. During inference, when presented with an attack symptom, our approach first predicts attack-related nodes in the causal graph and then constructs the causal subgraph based on these nodes. To evaluate our method, we conduct experiments using a simulated environment and four real attacks. The results demonstrate the effectiveness of the proposed approach compared to the state-of-the-art method ATLAS.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
References
DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning
Min Du,Feifei Li,Guineng Zheng,Vivek Srikumar +3 more
- 30 Oct 2017
TL;DR: DeepLog, a deep neural network model utilizing Long Short-Term Memory (LSTM), is proposed, to model a system log as a natural language sequence, which allows DeepLog to automatically learn log patterns from normal execution, and detect anomalies when log patterns deviate from the model trained from log data under normal execution.
1.4K
Machine Learning with Oversampling and Undersampling Techniques: Overview Study and Experimental Results
Roweida Mohammed,Jumanah Rawashdeh,Malak Abdullah +2 more
- 07 Apr 2020
TL;DR: One of the key findings of this paper is noticing that oversampling performs better than undersampling for different classifiers and obtains higher scores in different evaluation metrics.
530
HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows
Sadegh M. Milajerdi,Rigel Gjomemo,Birhanu Eshete,R. C. Sekar,V. N. Venkatakrishnan +4 more
- 19 May 2019
TL;DR: In this paper, the authors present HOLMES, a system that implements a new approach to the detection of Advanced and persistent Threats (APTs), inspired by several case studies of real-world APTs that highlight some common goals of APT actors.
426
NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage
Wajih Ul Hassan,Shengjian Guo,Ding Li,Zhengzhang Chen,Kangkook Jee,Zhichun Li,Adam Bates +6 more
- 01 Feb 2019
TL;DR: NODOZE generates alert dependency graphs that are two orders of magnitude smaller than those generated by traditional tools without sacrificing the vital information needed for the investigation, and decreases the volume of false alarms by 84%, saving analysts’ more than 90 hours of investigation time per week.
Log2vec: A Heterogeneous Graph Embedding Based Approach for Detecting Cyber Threats within Enterprise
Fucheng Liu,Yu Wen,Zhang Dongxue,Xihe Jiang,Xinyu Xing,Dan Meng +5 more
- 06 Nov 2019
TL;DR: This work proposes log2vec, a heterogeneous graph embedding based modularized method that remarkably outperforms state-of-the-art approaches, such as deep learning and hidden markov model (HMM), and shows its capability to detect malicious events in various attack scenarios.
261