Advanced Persistent Threats(APTs)pose significant challenges to detect due to their“low-and-slow”attack patterns and frequent use of zero-day vulnerabilities.Within this task,the extraction of long-term features is ...Advanced Persistent Threats(APTs)pose significant challenges to detect due to their“low-and-slow”attack patterns and frequent use of zero-day vulnerabilities.Within this task,the extraction of long-term features is often crucial.In this work,we propose a novel end-to-end APT detection framework named Long-Term Feature Association Provenance Graph Detector(LT-ProveGD).Specifically,LT-ProveGD encodes contextual information of the dynamic provenance graph while preserving the topological information with space efficiency.To combat“low-and-slow”attacks,LT-ProveGD develops an autoencoder with an integrated multi-head attention mechanism to extract long-term dependencies within the encoded representations.Furthermore,to facilitate the detection of previously unknown attacks,we leverage Jenks’natural breaks methodology,enabling detection without relying on specific attack information.By conducting extensive experiments on five widely used datasets with state-of-the-art attack detection methods,we demonstrate the superior effectiveness of LT-ProveGD.展开更多
Considering the stealthiness and persistence of Advanced Persistent Threats(APTs),system audit logs are leveraged in recent studies to construct system entity interaction provenance graphs to unveil threats in a host....Considering the stealthiness and persistence of Advanced Persistent Threats(APTs),system audit logs are leveraged in recent studies to construct system entity interaction provenance graphs to unveil threats in a host.Rule-based provenance graph APT detection approaches require elaborate rules and cannot detect unknown attacks,and existing learning-based approaches are limited by the lack of available APT attack samples or generally only perform graph-level anomaly detection,which requires lots of manual efforts to locate attack entities.This paper proposes an APT-exploited process detection approach called ThreatSniffer,which constructs the benign provenance graph from attack-free audit logs,fits normal system entity interactions and then detects APT-exploited processes by predicting the rationality of entity interactions.Firstly,ThreatSniffer understands system entities in terms of their file paths,interaction sequences,and the number distribution of interaction types and uses the multi-head self-attention mechanism to fuse these semantics.Then,based on the insight that APT-exploited processes interact with system entities they should not invoke,ThreatSniffer performs negative sampling on the benign provenance graph to generate non-existent edges,thus characterizing irrational entity interactions without requiring APT attack samples.At last,it employs a heterogeneous graph neural network as the interaction prediction model to aggregate the contextual information of entity interactions,and locate processes exploited by attackers,thereby achieving fine-grained APT detection.Evaluation results demonstrate that anomaly-based detection enables ThreatSniffer to identify all attack activities.Compared to the node-level APT detection method APT-KGL,ThreatSniffer achieves a 6.1%precision improvement because of its comprehensive understanding of entity semantics.展开更多
Advanced Persistent Threats (APTs) achieves internal networks penetration through multiple methods, making it difcult to detect attack clues solely through boundary defense measures. To address this challenge, some re...Advanced Persistent Threats (APTs) achieves internal networks penetration through multiple methods, making it difcult to detect attack clues solely through boundary defense measures. To address this challenge, some research has proposed threat detection methods based on provenance graphs, which leverage entity relationships such as processes, fles, and sockets found in host audit logs. However, these methods are generally inefcient, especially when faced with massive audit logs and the computational resource-intensive nature of graph algorithms. Efec-tivelyand economically extracting APT attack clues from massive system audit logs remains a signifcant challenge. To tackle this problem, this paper introduces the ProcSAGE method, which detects threats based on abnormal behavior patterns, ofering high accuracy, low cost, and independence from expert knowledge. ProcSAGE focuses on processes or threads in host audit logs during the graph construction phase to efectively control the scale of provenance graphs and reduce performance overhead. Additionally, in the feature extraction phase, ProcSAGE considers information about the processes or threads themselves and their neighboring nodes to accurately char-acterizethem and enhance model accuracy. In order to verify the efectiveness of the ProcSAGE method, this study conducted a comprehensive evaluation on the StreamSpot dataset. The experimental results show that the ProcSAGE method can signifcantly reduce the time and memory consumption in the threat detection process while improving the accuracy, and the optimization efect becomes more signifcant as the data size expands.展开更多
基金supported in part by the Fundamental Research Funds for the Central Universities(2024JBMC031)the OpenFund of Advanced Cryptography and System Security Key Laboratory of Sichuan Province(No.SKLACSS-202312)+2 种基金the CCF-NSFOCUS Open Fund,the National Natural Science Foundation of China(Grant Nos.62202042,U20A6003,62076146,62021002,U19A2062,62127803,U1911401 and 6212780016)the Fundamental Research Funds for the Central Universities,JLU,the Industrial Technology Infrastructure Public Service Platform Project‘Public Service Platform for Urban Rail Transit Equipment Signal System Testing and Safety Evaluation’(No.2022-233-225)Ministry of Industry and Information Technology of China.
文摘Advanced Persistent Threats(APTs)pose significant challenges to detect due to their“low-and-slow”attack patterns and frequent use of zero-day vulnerabilities.Within this task,the extraction of long-term features is often crucial.In this work,we propose a novel end-to-end APT detection framework named Long-Term Feature Association Provenance Graph Detector(LT-ProveGD).Specifically,LT-ProveGD encodes contextual information of the dynamic provenance graph while preserving the topological information with space efficiency.To combat“low-and-slow”attacks,LT-ProveGD develops an autoencoder with an integrated multi-head attention mechanism to extract long-term dependencies within the encoded representations.Furthermore,to facilitate the detection of previously unknown attacks,we leverage Jenks’natural breaks methodology,enabling detection without relying on specific attack information.By conducting extensive experiments on five widely used datasets with state-of-the-art attack detection methods,we demonstrate the superior effectiveness of LT-ProveGD.
基金This work was supported by the National Natural Science Foundation of China(Nos.U19A2081,62202320)the Fundamental Research Funds for the Central Universities(Nos.2022SCU12116,2023SCU12129,2023SCU12126)+1 种基金the Science and Engineering Connotation Development Project of Sichuan University(No.2020SCUNG129)the Key Laboratory of Data Protection and Intelligent Management(Sichuan University),Ministry of Education.
文摘Considering the stealthiness and persistence of Advanced Persistent Threats(APTs),system audit logs are leveraged in recent studies to construct system entity interaction provenance graphs to unveil threats in a host.Rule-based provenance graph APT detection approaches require elaborate rules and cannot detect unknown attacks,and existing learning-based approaches are limited by the lack of available APT attack samples or generally only perform graph-level anomaly detection,which requires lots of manual efforts to locate attack entities.This paper proposes an APT-exploited process detection approach called ThreatSniffer,which constructs the benign provenance graph from attack-free audit logs,fits normal system entity interactions and then detects APT-exploited processes by predicting the rationality of entity interactions.Firstly,ThreatSniffer understands system entities in terms of their file paths,interaction sequences,and the number distribution of interaction types and uses the multi-head self-attention mechanism to fuse these semantics.Then,based on the insight that APT-exploited processes interact with system entities they should not invoke,ThreatSniffer performs negative sampling on the benign provenance graph to generate non-existent edges,thus characterizing irrational entity interactions without requiring APT attack samples.At last,it employs a heterogeneous graph neural network as the interaction prediction model to aggregate the contextual information of entity interactions,and locate processes exploited by attackers,thereby achieving fine-grained APT detection.Evaluation results demonstrate that anomaly-based detection enables ThreatSniffer to identify all attack activities.Compared to the node-level APT detection method APT-KGL,ThreatSniffer achieves a 6.1%precision improvement because of its comprehensive understanding of entity semantics.
基金supported by National Key Research and Development Pro-gram of China(No.2023YFC2206402)Youth Innovation Promotion Associa-tion CAS(No.2021156)+2 种基金the Strategic Priority Research Program of the Chinese Academy of Sciences(No.XDC02040100)Foundation Strengthening Program Technical Area Fund,021-JCJQ-JJ-0908State Grid Corporation of China Science and Technology Program(Contract No.:SG270000YXJS2311060).
文摘Advanced Persistent Threats (APTs) achieves internal networks penetration through multiple methods, making it difcult to detect attack clues solely through boundary defense measures. To address this challenge, some research has proposed threat detection methods based on provenance graphs, which leverage entity relationships such as processes, fles, and sockets found in host audit logs. However, these methods are generally inefcient, especially when faced with massive audit logs and the computational resource-intensive nature of graph algorithms. Efec-tivelyand economically extracting APT attack clues from massive system audit logs remains a signifcant challenge. To tackle this problem, this paper introduces the ProcSAGE method, which detects threats based on abnormal behavior patterns, ofering high accuracy, low cost, and independence from expert knowledge. ProcSAGE focuses on processes or threads in host audit logs during the graph construction phase to efectively control the scale of provenance graphs and reduce performance overhead. Additionally, in the feature extraction phase, ProcSAGE considers information about the processes or threads themselves and their neighboring nodes to accurately char-acterizethem and enhance model accuracy. In order to verify the efectiveness of the ProcSAGE method, this study conducted a comprehensive evaluation on the StreamSpot dataset. The experimental results show that the ProcSAGE method can signifcantly reduce the time and memory consumption in the threat detection process while improving the accuracy, and the optimization efect becomes more signifcant as the data size expands.
