Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
119 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

POIROT: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting (1910.00056v1)

Published 30 Sep 2019 in cs.CR

Abstract: Cyber threat intelligence (CTI) is being used to search for indicators of attacks that might have compromised an enterprise network for a long time without being discovered. To have a more effective analysis, CTI open standards have incorporated descriptive relationships showing how the indicators or observables are related to each other. However, these relationships are either completely overlooked in information gathering or not used for threat hunting. In this paper, we propose a system, called POIROT, which uses these correlations to uncover the steps of a successful attack campaign. We use kernel audits as a reliable source that covers all causal relations and information flows among system entities and model threat hunting as an inexact graph pattern matching problem. Our technical approach is based on a novel similarity metric which assesses an alignment between a query graph constructed out of CTI correlations and a provenance graph constructed out of kernel audit log records. We evaluate POIROT on publicly released real-world incident reports as well as reports of an adversarial engagement designed by DARPA, including ten distinct attack campaigns against different OS platforms such as Linux, FreeBSD, and Windows. Our evaluation results show that POIROT is capable of searching inside graphs containing millions of nodes and pinpoint the attacks in a few minutes, and the results serve to illustrate that CTI correlations could be used as robust and reliable artifacts for threat hunting.

User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (4)
  1. Sadegh M. Milajerdi (4 papers)
  2. Birhanu Eshete (14 papers)
  3. Rigel Gjomemo (7 papers)
  4. V. N. Venkatakrishnan (6 papers)
Citations (170)
View on Semantic Scholar

Summary

An Insightful Overview of Poirot: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting

The paper "Poirot: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting" introduces a robust approach towards cyber threat intelligence (CTI) and its application in threat hunting. The authors propose a system named Poirot, which utilizes correlations in CTI reports to detect systematic attack operations within enterprise environments. By leveraging provenance graphs constructed from kernel audit records, Poirot transforms the threat hunting process into an inexact graph pattern matching problem, aligning graph-based representations of attack behaviors with observed system audit logs.

Methodology and Technical Approach

Poirot operates by aligning attack behaviors described in CTI reports, often formatted using open standards like OpenIOC, STIX, and MISP, to the detailed system entity interactions traced in kernel audit logs. This involves constructing a query graph from CTI descriptions elucidating attack behaviors, which typically describe interrelations between relevant cyber threat indicators such as processes, files, and IP addresses.

The core technical challenge addressed is the graph pattern matching problem formulated in this context as aligning the query graph derived from CTI with a provenance graph built from kernel audit records. Poirot circumvents the inherent NP-completeness of subgraph matching through an approximation function and a novel similarity metric. Here, a key innovation is the "influence score," reflecting how feasible it is for an attacker to implement the observed information flows within the provenance graph.

Numerical Results and Evaluation

Poirot's effectiveness is illustrated through evaluations on benchmark red-team scenarios from the DARPA Transparent Computing program, coupled with real-world malware incidents executed in controlled environments. The system successfully identified attack patterns across diverse operating systems, demonstrating capability in processing large graphs consisting of tens of millions of audit records within minutes. Significantly, Poirot achieved high alignment scores in most scenarios, indicating precise identification of attack behavior.

In contrast to other threat detection tools, like RedLine and Loki, which rely on isolated indicators and signatures susceptible to mutations and evasive maneuvers by attackers, Poirot's behavior-centric approach allows for broader and more resilient detection capabilities.

Implications and Future Directions

The theoretical and practical implications of the research are prominent. The paper suggests that CTI correlations are reliably robust artifacts for hunting threats, providing a structured method for cyber analysts to interpret and respond to threats effectively. Additionally, the influence-based graph alignment approach resists typical evasive tactics in cyber attacks, offering a significant advantage over traditional techniques.

Looking forward, advancing the automated construction of query graphs directly from natural language CTI and refining the influence scoring could enhance the system's efficiency and scope of application. Further development could extend beyond current kernel audit environments to incorporate multi-source logs, increasing comprehensiveness in threat detection.

Conclusion

The paper presents a meticulous and technically sound approach to using graph alignment in threat intelligence and hunting. Poirot's capability of aligning CTI-derived attack behaviors with audit logs marks a significant advancement in cyber security frameworks. The methodology has proven effective in practical evaluations, stressing the potential for significant improvements in cyber threat detection and the broadening of its application in diverse information environments.