Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
126 tokens/sec
GPT-4o
47 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

LTRDetector: Exploring Long-Term Relationship for Advanced Persistent Threats Detection (2404.03162v1)

Published 4 Apr 2024 in cs.CR

Abstract: Advanced Persistent Threat (APT) is challenging to detect due to prolonged duration, infrequent occurrence, and adept concealment techniques. Existing approaches primarily concentrate on the observable traits of attack behaviors, neglecting the intricate relationships formed throughout the persistent attack lifecycle. Thus, we present an innovative APT detection framework named LTRDetector, implementing an end-to-end holistic operation. LTRDetector employs an innovative graph embedding technique to retain comprehensive contextual information, then derives long-term features from these embedded provenance graphs. During the process, we compress the data of the system provenance graph for effective feature learning. Furthermore, in order to detect attacks conducted by using zero-day exploits, we captured the system's regular behavior and detects abnormal activities without relying on predefined attack signatures. We also conducted extensive evaluations using five prominent datasets, the efficacy evaluation of which underscores the superiority of LTRDetector compared to existing state-of-the-art techniques.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (43)
  1. A. Alshamrani, S. Myneni, A. Chowdhary, and D. Huang, “A survey on advanced persistent threats: Techniques, solutions, challenges, and research opportunities,” IEEE Communications Surveys & Tutorials, vol. 21, no. 2, pp. 1851–1877, 2019.
  2. A. Segal, “Mandiant: Apt1: Exposing one of china’s cyber espionage units,” https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf, 2016.
  3. S. Cohen, W. Nutt, and Y. Sagic, “Deciding equivalances among conjunctive aggregate queries,” JACM, 2011.
  4. N. Virvilis, O. Serrano, and L. Dandurand, “Big data analytics for sophisticated attack detection,” Isaca Journal, vol. 3, pp. 22–25, 2014.
  5. X. Sun, J. Dai, P. Liu, A. Singhal, and J. Yen, “Using bayesian networks for probabilistic identification of zero-day attack paths,” IEEE Transactions on Information Forensics and Security, vol. 13, no. 10, pp. 2506–2521, 2018.
  6. F. Abbasi, “Trustwave global security report 2020,” 2020.
  7. S. M. Milajerdi, R. Gjomemo, B. Eshete, R. Sekar, and V. Venkatakrishnan, “Holmes: real-time apt detection through correlation of suspicious information flows,” in 2019 IEEE Symposium on Security and Privacy (SP).   IEEE, 2019, pp. 1137–1152.
  8. X. Han, T. Pasquier, A. Bates, J. Mickens, and M. Seltzer, “Unicorn: Runtime provenance-based detector for advanced persistent threats,” arXiv preprint arXiv:2001.01525, 2020.
  9. Y. Koren, R. Bell, and C. Volinsky, “Matrix factorization techniques for recommender systems,” Computer, vol. 42, no. 8, pp. 30–37, 2009.
  10. N. Shervashidze, P. Schweitzer, E. J. Van Leeuwen, K. Mehlhorn, and K. M. Borgwardt, “Weisfeiler-lehman graph kernels.” Journal of Machine Learning Research, vol. 12, no. 9, 2011.
  11. W. U. Hassan, S. Guo, D. Li, Z. Chen, K. Jee, Z. Li, and A. Bates, “Nodoze: Combatting threat alert fatigue with automated provenance triage,” in network and distributed systems security symposium, 2019.
  12. Y. Xie, D. Feng, Y. Hu, Y. Li, S. Sample, and D. Long, “Pagoda: A hybrid approach to enable efficient real-time provenance based intrusion detection in big data environments,” IEEE Transactions on Dependable and Secure Computing, vol. 17, no. 6, pp. 1283–1296, 2018.
  13. M. N. Hossain, S. M. Milajerdi, J. Wang, B. Eshete, R. Gjomemo, R. Sekar, S. Stoller, and V. Venkatakrishnan, “{{\{{SLEUTH}}\}}: Real-time attack scenario reconstruction from {{\{{COTS}}\}} audit data,” in 26th USENIX Security Symposium (USENIX Security 17), 2017, pp. 487–504.
  14. Y. Xie, F. Dan, Z. Tan, and J. Zhou, “Unifying intrusion detection and forensic analysis via provenance awareness,” Future Generation Computer Systems, vol. 61, no. aug., pp. 26–36, 2016.
  15. Y. Xie, Y. Wu, D. Feng, and D. Long, “P-gaussian: Provenance-based gaussian distribution for detecting intrusion behavior variants using high efficient and real time memory databases,” IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 6, pp. 2658–2674, 2021.
  16. X. Sun, J. Dai, L. Peng, A. Singhal, and J. Yen, “Towards probabilistic identification of zero-day attack paths,” in 2016 IEEE Conference on Communications and Network Security (CNS), 2016.
  17. X. Sun, J. Dai, P. Liu, A. Singhal, and J. Yen, “Using bayesian networks for probabilistic identification of zero-day attack paths,” IEEE Transactions on Information Forensics and Security, pp. 1–1, 2018.
  18. M. N. Hossain, S. Sheikhi, and R. Sekar, “Combating dependence explosion in forensic analysis using alternative tag propagation semantics,” in 2020 IEEE Symposium on Security and Privacy (SP).   IEEE, 2020, pp. 1139–1155.
  19. S. M. Milajerdi, B. Eshete, R. Gjomemo, and V. Venkatakrishnan, “Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting,” in Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, 2019, pp. 1795–1812.
  20. E. Manzoor, S. M. Milajerdi, and L. Akoglu, “Fast memory-efficient anomaly detection in streaming heterogeneous graphs,” in Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, 2016, pp. 1035–1044.
  21. R. Liang, Y. Gao, and X. Zhao, “Sequence feature extraction-based apt attack detection method with provenance graphs,” Science China. Information Sciences, vol. 052, no. 008, pp. 1463–1480, 2022.
  22. Y. Bengio, P. Simard, and P. Frasconi, “Learning long-term dependencies with gradient descent is difficult,” IEEE transactions on neural networks, vol. 5, no. 2, pp. 157–166, 1994.
  23. H. Wu, F. Xu, Y. Duan, Z. Niu, W. Wang, G. Lu, K. Wang, Y. Liang, and Y. Wang, “Spatio-temporal fluid dynamics modeling via physical-awareness and parameter diffusion guidance,” arXiv preprint arXiv:2403.13850, 2024.
  24. T. Pasquier, X. Han, M. Goldstein, T. Moyer, D. Eyers, M. Seltzer, and J. Bacon, “Practical whole-system provenance capture,” in Proceedings of the 2017 Symposium on Cloud Computing, 2017, pp. 405–418.
  25. X. Zhang, Z. Wu, Z. Li, K. Jee, and G. Jiang, “High fidelity data reduction for big data security dependency analyses,” in the 2016 ACM SIGSAC Conference, 2016.
  26. A. Vaswani, N. Shazeer, N. Parmar, J. Uszkoreit, L. Jones, A. N. Gomez, Ł. Kaiser, and I. Polosukhin, “Attention is all you need,” Advances in neural information processing systems, vol. 30, 2017.
  27. A. Gehani and D. Tariq, “Spade: Support for provenance auditing in distributed environments,” in ACM/IFIP/USENIX International Conference on Distributed Systems Platforms and Open Distributed Processing.   Springer, 2012, pp. 101–120.
  28. A. Grover and J. Leskovec, “node2vec: Scalable feature learning for networks,” in Proceedings of the 22nd ACM SIGKDD international conference on Knowledge discovery and data mining, 2016, pp. 855–864.
  29. H. Wu, W. Xion, F. Xu, X. Luo, C. Chen, X.-S. Hua, and H. Wang, “Pastnet: Introducing physical inductive biases for spatio-temporal video prediction,” arXiv preprint arXiv:2305.11421, 2023.
  30. T. Mikolov, I. Sutskever, K. Chen, G. S. Corrado, and J. Dean, “Distributed representations of words and phrases and their compositionality,” Advances in neural information processing systems, vol. 26, 2013.
  31. Z. Li, Q. A. Chen, R. Yang, Y. Chen, and W. Ruan, “Threat detection and investigation with system-level provenance graphs: a survey,” Computers & Security, vol. 106, p. 102282, 2021.
  32. H. Wu and F. Xu, “Slfnet: Generating semantic logic forms from natural language using semantic probability graphs,” arXiv preprint arXiv:2403.19936, 2024.
  33. T. Mikolov, K. Chen, G. Corrado, and J. Dean, “Efficient estimation of word representations in vector space,” arXiv preprint arXiv:1301.3781, 2013.
  34. F. Yan, G. Yang, Y. Li, A. Liu, and X. Chen, “Dual graph attention based disentanglement multiple instance learning for brain age estimation,” arXiv preprint arXiv:2403.01246, 2024.
  35. D. Bahdanau, K. Cho, and Y. Bengio, “Neural machine translation by jointly learning to align and translate,” Computer Science, 2014.
  36. K. He, X. Zhang, S. Ren, and J. Sun, “Deep residual learning for image recognition,” IEEE, 2016.
  37. H. Wu, K. Wang, F. Xu, Y. Li, X. Wang, W. Wang, H. Wang, and X. Luo, “Spatio-temporal twins with a cache for modeling long-term system dynamics,” 2023.
  38. J. L. Ba, J. R. Kiros, and G. E. Hinton, “Layer normalization,” 2016.
  39. N. Srivastava, G. Hinton, A. Krizhevsky, I. Sutskever, and R. Salakhutdinov, “Dropout: A simple way to prevent neural networks from overfitting,” Journal of Machine Learning Research, vol. 15, no. 1, pp. 1929–1958, 2014.
  40. J. A. H. A. Wong, “Algorithm as 136: A k-means clustering algorithm,” Journal of the Royal Statistical Society, vol. 28, no. 1, pp. 100–108, 1979.
  41. A. Graves, “Generating sequences with recurrent neural networks,” Computer Science, 2013.
  42. L. Li, C. J. Meinrenken, V. Modi, and P. J. Culligan, “Short-term apartment-level load forecasting using a modified neural network with selected auto-regressive features,” Applied Energy, vol. 287, p. 116509, 2021.
  43. D. Yang, B. Li, L. Rettig, and P. Cudré-Mauroux, “Histosketch: Fast similarity-preserving sketching of streaming histograms with concept drift,” in 2017 IEEE International Conference on Data Mining (ICDM).   IEEE, 2017, pp. 545–554.

Summary

  • The paper introduces a novel APT detection framework that utilizes graph embedding and multi-head attention to extract long-term system behavior features.
  • It achieves superior detection accuracy over five datasets by modeling normal system behavior through clustering-based anomaly detection.
  • The approach enables detection of zero-day exploits by capturing latent, prolonged correlations in system provenance logs.

LTRDetector: Advanced Persistent Threats Detection via Long-Term Relationship Exploration

Introduction to LTRDetector

Advanced Persistent Threats (APT) pose significant challenges to cyber security due to their long-duration, low-frequency, and highly covert nature. Traditional detection methodologies often fail to effectively identify such threats as they typically rely on observable attack patterns or predefined signatures, which do not account for the intricate, long-term relationships established during an APT lifecycle. Addressing this gap, the LTRDetector framework introduces an innovative approach, leveraging graph embedding techniques for the comprehensive analysis of system provenance graphs. This method not only accommodates the detection of APT attacks utilizing zero-day exploits by capturing the system's normative behavior but also surpasses current state-of-the-art techniques in efficacy, as evidenced by extensive evaluations across five prominent datasets.

Core Components of LTRDetector

LTRDetector's methodology encapsulates three critical stages: data embedding, long-term feature extraction, and attack detection.

  • Data Embedding: Initiated with the capture of system logs, creating a trace graph that encompasses every system call step. Through an innovative graph embedding technique, nodes within the provenance graph are represented in an embedding space, retaining rich contextual information while effectively reducing data redundancy.
  • Long-Term Features Extraction: At this juncture, LTRDetector employs an Autoencoder structure model with a multi-head attention algorithm. This setup is adept at extracting long-term features from the graph, highlighting the latent and prolonged correlations present within system behavior amid an APT's stealthy nature.
  • Attack Detection: The final phase utilizes a clustering analysis algorithm to model the system behavior during the training phase. Anomalies are identified based on their deviation from a predefined threshold of normal behavior, enabling the detection process to operate without the need for manual signature definitions.

Evaluation and Implications

Extensive testing of LTRDetector across multiple datasets reveals its superior capability in detecting APT scenarios accurately. This bench-marking showcases not just the framework's practical value in enhancing cybersecurity defenses but also its theoretical contributions to understanding long-term behavioral patterns indicative of APT attacks. Furthermore, the framework's efficacy in processing vast datasets with minimal information loss represents a significant advancement in the field.

Future Directions in AI and Security

The advent of LTRDetector marks a significant stride towards combating the ever-evolving landscape of cyber threats. Yet, the journey does not end here. Future research could explore adaptive learning mechanisms for model updating, ensuring the detection framework remains effective without susceptibility to model poisoning. Moreover, refining the attack detection phase to accommodate complex data distributions could further enhance the precision of APT identification.

In conclusion, LTRDetector not only sets a new precedence in the detection of Advanced Persistent Threats through its nuanced analysis of long-term system behavior relationships but also opens avenues for further innovation in the field of cybersecurity. This framework stands as a testament to the potential of leveraging deep learning alongside graph analysis techniques in crafting robust and adaptive cybersecurity defenses.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown