Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
169 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Nip in the Bud: Forecasting and Interpreting Post-exploitation Attacks in Real-time through Cyber Threat Intelligence Reports (2405.02826v1)

Published 5 May 2024 in cs.CR

Abstract: Advanced Persistent Threat (APT) attacks have caused significant damage worldwide. Various Endpoint Detection and Response (EDR) systems are deployed by enterprises to fight against potential threats. However, EDR suffers from high false positives. In order not to affect normal operations, analysts need to investigate and filter detection results before taking countermeasures, in which heavy manual labor and alarm fatigue cause analysts miss optimal response time, thereby leading to information leakage and destruction. Therefore, we propose Endpoint Forecasting and Interpreting (EFI), a real-time attack forecast and interpretation system, which can automatically predict next move during post-exploitation and explain it in technique-level, then dispatch strategies to EDR for advance reinforcement. First, we use Cyber Threat Intelligence (CTI) reports to extract the attack scene graph (ASG) that can be mapped to low-level system logs to strengthen attack samples. Second, we build a serialized graph forecast model, which is combined with the attack provenance graph (APG) provided by EDR to generate an attack forecast graph (AFG) to predict the next move. Finally, we utilize the attack template graph (ATG) and graph alignment plus algorithm for technique-level interpretation to automatically dispatch strategies for EDR to reinforce system in advance. EFI can avoid the impact of existing EDR false positives, and can reduce the attack surface of system without affecting the normal operations. We collect a total of 3,484 CTI reports, generate 1,429 ASGs, label 8,000 sentences, tag 10,451 entities, and construct 256 ATGs. Experimental results on both DARPA Engagement and large scale CTI dataset show that the alignment score between the AFG predicted by EFI and the real attack graph is able to exceed 0.8, the forecast and interpretation precision of EFI can reach 91.8%.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (64)
  1. CSIS, “Significant cyber incidents,” 2023, https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents/. [Online]. Available: https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents
  2. “Windows event tracing,” https://docs.microsoft.com/en-us/windows/desktop/ETW/event-tracing-portal/. [Online]. Available: https://docs.microsoft.com/en-us/windows/desktop/ETW/event-tracing-portal
  3. “The linux audit daemon,” https://linux.die.net/man/8/auditd/. [Online]. Available: https://linux.die.net/man/8/auditd
  4. T. Zhu, J. Wang, L. Ruan, C. Xiong, J. Yu, Y. Li, Y. Chen, M. Lv, and T. Chen, “General, efficient, and real-time data compaction strategy for apt forensic analysis,” IEEE Transactions on Information Forensics and Security, vol. 16, pp. 3312–3325, 2021.
  5. M. N. Hossain, S. M. Milajerdi, J. Wang, B. Eshete, R. Gjomemo, R. Sekar, S. Stoller, and V. Venkatakrishnan, “{{\{{SLEUTH}}\}}: Real-time attack scenario reconstruction from {{\{{COTS}}\}} audit data,” in USENIX Security Symposium, 2017, pp. 487–504.
  6. “Mitre att&ck,” https://attack.mitre.org/. [Online]. Available: https://attack.mitre.org
  7. S. M. Milajerdi, R. Gjomemo, B. Eshete, R. Sekar, and V. Venkatakrishnan, “Holmes: real-time apt detection through correlation of suspicious information flows,” in 2019 IEEE Symposium on Security and Privacy (SP).   IEEE, 2019, pp. 1137–1152.
  8. CrowdStrike, “Lateral movement,” 2022, https://www.crowdstrike.com/cybersecurity-101/lateral-movement/.
  9. W. U. Hassan, S. Guo, D. Li, Z. Chen, K. Jee, Z. Li, and A. Bates, “Nodoze: Combatting threat alert fatigue with automated provenance triage,” in network and distributed systems security symposium, 2019.
  10. C. Xiong, T. Zhu, W. Dong, L. Ruan, R. Yang, Y. Chen, Y. Cheng, S. Cheng, and X. Chen, “Conan: A practical real-time apt detection system with high accuracy and efficiency,” IEEE Transactions on Dependable and Secure Computing, 2020.
  11. M. N. Hossain, S. Sheikhi, and R. Sekar, “Combating dependence explosion in forensic analysis using alternative tag propagation semantics,” in 2020 IEEE Symposium on Security and Privacy (SP).   IEEE, 2020, pp. 1139–1155.
  12. F. Liu, Y. Wen, D. Zhang, X. Jiang, X. Xing, and D. Meng, “Log2vec: A heterogeneous graph embedding based approach for detecting cyber threats within enterprise,” in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019, pp. 1777–1794.
  13. X. Han, T. Pasquier, A. Bates, J. Mickens, and M. Seltzer, “Unicorn: Runtime provenance-based detector for advanced persistent threats,” arXiv preprint arXiv:2001.01525, 2020.
  14. T. Chen, C. Dong, M. Lv, Q. Song, H. Liu, T. Zhu, K. Xu, L. Chen, S. Ji, and Y. Fan, “Apt-kgl: An intelligent apt detection system based on threat knowledge and heterogeneous provenance graph learning,” IEEE Transactions on Dependable and Secure Computing, 2022.
  15. G. Husari, E. Al-Shaer, M. Ahmed, B. Chu, and X. Niu, “Ttpdrill: Automatic and accurate extraction of threat actions from unstructured text of cti sources,” in Proceedings of the 33rd annual computer security applications conference, 2017, pp. 103–115.
  16. K. Satvat, R. Gjomemo, and V. Venkatakrishnan, “Extractor: Extracting attack behavior from threat reports,” in 2021 IEEE European Symposium on Security and Privacy (EuroS&P).   IEEE, 2021, pp. 598–615.
  17. Z. Li, J. Zeng, Y. Chen, and Z. Liang, “Attackg: Constructing technique knowledge graph from cyber threat intelligence reports,” arXiv preprint arXiv:2111.07093, 2021.
  18. “Meet the atomic family — atomic red team,” https://atomicredteam.io/.
  19. “Russia’s fancy bear hackers likely penetrated a us federal agency,” https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/. [Online]. Available: https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/
  20. “Apt 28,” https://attack.mitre.org/groups/G0007/. [Online]. Available: https://attack.mitre.org/groups/G0007/
  21. “Endpoint detection and response solutions market,” https://www.gartner.com/reviews/market/endpoint-detection-and-response-solutions/. [Online]. Available: https://www.gartner.com/reviews/market/endpoint-detection-and-response-solutions
  22. W. U. Hassan, A. Bates, and D. Marino, “Tactical provenance analysis for endpoint detection and response systems,” in 2020 IEEE Symposium on Security and Privacy (SP).   IEEE, 2020, pp. 1172–1189.
  23. W. U. Hassan, M. A. Noureddine, P. Datta, and A. Bates, “Omegalog: High-fidelity attack investigation via transparent multi-layer log analysis,” in Network and distributed system security symposium, 2020.
  24. T. Zhu, J. Yu, C. Xiong, W. Cheng, Q. Yuan, J. Ying, T. Chen, J. Zhang, M. Lv, Y. Chen et al., “Aptshield: A stable, efficient and real-time apt detection system for linux hosts,” IEEE Transactions on Dependable and Secure Computing, 2023.
  25. “3rd update: Cyber espionage reaches new levels with flamer,” https://www.bitdefender.com/blog/labs/cyber-espionage-reaches-new-levels-with-flamer/. [Online]. Available: https://www.bitdefender.com/blog/labs/cyber-espionage-reaches-new-levels-with-flamer/
  26. J. Devlin, M.-W. Chang, K. Lee, and K. Toutanova, “Bert: Pre-training of deep bidirectional transformers for language understanding,” arXiv preprint arXiv:1810.04805, 2018.
  27. Z. Huang, W. Xu, and K. Yu, “Bidirectional lstm-crf models for sequence tagging,” arXiv preprint arXiv:1508.01991, 2015.
  28. A. Radford and K. Narasimhan, “Improving language understanding by generative pre-training,” 2018. [Online]. Available: https://api.semanticscholar.org/CorpusID:49313245
  29. G. Lample, M. Ballesteros, S. Subramanian, K. Kawakami, and C. Dyer, “Neural architectures for named entity recognition,” arXiv preprint arXiv:1603.01360, 2016.
  30. A. Graves, A.-r. Mohamed, and G. Hinton, “Speech recognition with deep recurrent neural networks,” in 2013 IEEE international conference on acoustics, speech and signal processing.   Ieee, 2013, pp. 6645–6649.
  31. J. D. Lafferty, A. McCallum, and F. Pereira, “Conditional random fields: Probabilistic models for segmenting and labeling sequence data,” in International Conference on Machine Learning, 2001. [Online]. Available: https://api.semanticscholar.org/CorpusID:219683473
  32. “Neuralcoref 4.0: Coreference resolution in spacy with neural networks,” 2020, https://github.com/huggingface/neuralcoref/.
  33. E. Brill, “A simple rule-based part of speech tagger,” Pennsylvania Univ Philadelphia Dept of Computer and Information Science, Tech. Rep., 1992.
  34. A. Culotta and J. Sorensen, “Dependency tree kernels for relation extraction,” in Proceedings of the 42nd annual meeting of the association for computational linguistics (ACL-04), 2004, pp. 423–429.
  35. T. Mikolov, K. Chen, G. Corrado, and J. Dean, “Efficient estimation of word representations in vector space,” arXiv preprint arXiv:1301.3781, 2013.
  36. J. You, R. Ying, X. Ren, W. Hamilton, and J. Leskovec, “Graphrnn: Generating realistic graphs with deep auto-regressive models,” in International conference on machine learning.   PMLR, 2018, pp. 5708–5717.
  37. S. M. Milajerdi, B. Eshete, R. Gjomemo, and V. Venkatakrishnan, “Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting,” in Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, 2019, pp. 1795–1812.
  38. E. Loper and S. Bird, “Nltk: the natural language toolkit,” https://pyod.readthedocs.io/en/latest/.
  39. “spacy-industrial-strength natural language processing,” 2020, https://spacy.io/.
  40. “Bitdefenderblog,” https://www.bitdefender.com/blog/.
  41. “Microsoft security-intelligence,” https://www.microsoft.com/security/blog/security-intelligence/. [Online]. Available: https://www.microsoft.com/security/blog/security-intelligence/
  42. “Broadcom software blogs,” https://symantec-enterprise-blogs.security.com/blogs/. [Online]. Available: https://symantec-enterprise-blogs.security.com/blogs/
  43. “Talos blog,” https://blog.talosintelligence.com/. [Online]. Available: https://blog.talosintelligence.com/
  44. “Virustotalblog,” https://www.blog.virustotal.com/.
  45. L. A. Ramshaw and M. P. Marcus, “Text chunking using transformation-based learning,” Natural language processing using very large corpora, pp. 157–176, 1999.
  46. “Graphviz,” https://graphviz.org/.
  47. “Networkx,” https://networkx.org/.
  48. “Darpa transparent computing engagement,” 2020, https://www.darpa.mil/program/transparent-computing.
  49. P. Fang, P. Gao, C. Liu, E. Ayday, K. Jee, T. Wang, Y. F. Ye, Z. Liu, and X. Xiao, “{{\{{Back-Propagating}}\}} system dependency impact for attack investigation,” in 31st USENIX Security Symposium (USENIX Security 22), 2022, pp. 2461–2478.
  50. Z. Xu, P. Fang, C. Liu, X. Xiao, Y. Wen, and D. Meng, “Depcomm: Graph summarization on system audit logs for attack investigation,” in 2022 IEEE Symposium on Security and Privacy (SP).   IEEE, 2022, pp. 540–557.
  51. Z. Xu, Z. Wu, Z. Li, K. Jee, J. Rhee, X. Xiao, F. Xu, H. Wang, and G. Jiang, “High fidelity data reduction for big data security dependency analyses,” in Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, 2016, pp. 504–516.
  52. “Spade,” https://github.com/ashish-gehani/SPADE.
  53. K. L. G. R. . A. T. (GReAT), “Carbanak apt: The great bank robbery.” 2015, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf.
  54. P. Gao, F. Shao, X. Liu, X. Xiao, Z. Qin, F. Xu, P. Mittal, S. R. Kulkarni, and D. Song, “Enabling efficient cyber threat hunting with cyber threat intelligence,” in 2021 IEEE 37th International Conference on Data Engineering (ICDE).   IEEE, 2021, pp. 193–204.
  55. X. Liao, K. Yuan, X. Wang, Z. Li, L. Xing, and R. Beyah, “Acing the ioc game: Toward automatic discovery and analysis of open-source cyber threat intelligence,” in Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, 2016, pp. 755–766.
  56. Z. Zhu and T. Dumitras, “Chainsmith: Automatically learning the semantics of malicious campaigns by mining threat intelligence reports,” in 2018 IEEE European symposium on security and privacy (EuroS&P).   IEEE, 2018, pp. 458–472.
  57. A. Bates, D. J. Tian, K. R. Butler, and T. Moyer, “Trustworthy {{\{{Whole-System}}\}} provenance for the linux kernel,” in 24th USENIX Security Symposium (USENIX Security 15), 2015, pp. 319–334.
  58. S. T. King and P. M. Chen, “Backtracking intrusions,” in Proceedings of the nineteenth ACM symposium on Operating systems principles, 2003, pp. 223–236.
  59. D. J. Pohly, S. McLaughlin, P. McDaniel, and K. Butler, “Hi-fi: collecting high-fidelity whole-system provenance,” in Proceedings of the 28th Annual Computer Security Applications Conference, 2012, pp. 259–268.
  60. T. N. Kipf and M. Welling, “Variational graph auto-encoders,” arXiv preprint arXiv:1611.07308, 2016.
  61. A. Grover, A. Zweig, and S. Ermon, “Graphite: Iterative generative modeling of graphs,” in International conference on machine learning.   PMLR, 2019, pp. 2434–2444.
  62. M. Simonovsky and N. Komodakis, “Graphvae: Towards generation of small graphs using variational autoencoders,” in International conference on artificial neural networks.   Springer, 2018, pp. 412–422.
  63. Y. Shen, E. Mariconti, P. A. Vervier, and G. Stringhini, “Tiresias: Predicting security events through deep learning,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018, pp. 592–605.
  64. T. van Ede, H. Aghakhani, N. Spahn, R. Bortolameotti, M. Cova, A. Continella, M. van Steen, A. Peter, C. Kruegel, and G. Vigna, “Deepcase: Semi-supervised contextual analysis of security events,” IEEE Security and Privacy, 2022.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets