Skip to main content
SpringerLink
Log in

Identifying Tactics of Advanced Persistent Threats with Limited Attack Traces

  • Conference paper
  • First Online:
Information Systems Security (ICISS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13146))

Included in the following conference series:

Abstract

The cyberworld being threatened by continuous imposters needs the development of intelligent methods for identifying threats while keeping in mind all the constraints that can be encountered. Advanced Persistent Threats (APT) have become an important national issue as they secretly steal information over a long period of time. Depending on the objective, adversaries use different tactics throughout the APT campaign to compromise the systems. Therefore, this kind of attack needs immediate attention as such attack tactics are hard to detect for being interleaved with benign activities. Moreover, existing solutions to detect APT attacks are computationally expensive, since keeping track of every system behavior is both costly and challenging. In addition, because of the data imbalance issue that appears due to few malicious events compared to the innumerable benign events in the system, the performance of the existing detection models is affected. In this work, we propose novel machine learning (ML) approaches to classify such attack tactics. More specifically, we convert APT traces into a graph, generate nodes, and eventually graph embeddings, and classify using ML. For ML, we use proposed advanced approaches to address class imbalance issues and compare our approaches with other baseline models and show the effectiveness of our approaches.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://en.wikipedia.org/wiki/Kronecker_product.

References

  1. https://attack.mitre.org/groups/G0049/

  2. Red Canary, September 2020. https://github.com/redcanaryco/atomic-red-team

  3. Ayoade, G., et al.: Evolving advanced persistent threat detection using provenance graph and metric learning. In: 2020 IEEE Conference on Communications and Network Security (CNS), pp. 1–9 (2020)

    Google Scholar 

  4. CALDERA: Caldera. https://github.com/mitre/caldera. Accessed 10 June 2021

  5. Cer, D., et al.: Universal sentence encoder. CoRR abs/1803.11175 (2018)

    Google Scholar 

  6. Chen, C., Shyu, M.: Clustering-based binary-class classification for imbalanced data sets. In: Proceedings of the IEEE International Conference on Information Reuse and Integration, IRI 2011, 3–5 August 2011, Las Vegas, Nevada, USA, pp. 384–389. IEEE Systems, Man, and Cybernetics Society (2011)

    Google Scholar 

  7. Douzas, G., Bacao, F., Last, F.: Improving imbalanced learning through a heuristic oversampling method based on k-means and smote. Inf. Sci. 465, 1–20 (2018)

    Article  Google Scholar 

  8. Endgameinc: Red team automation (RTA). https://github.com/endgameinc/RTA. Accessed 10 June 2021

  9. Gao, Y., Li, Y.F., Chandra, S., Khan, L., Thuraisingham, B.: Towards self-adaptive metric learning on the fly. In: The World Wide Web Conference, pp. 503–513. ACM (2019)

    Google Scholar 

  10. Gao, Y., Li, Y.F., Lin, Y., Aggarwal, C., Khan, L.: SetConv: a new approach for learning from imbalanced data (2021)

    Google Scholar 

  11. Gephi: The open graph viz platform. https://gephi.org/. Accessed 10 June 2021

  12. Hamilton, W., Ying, Z., Leskovec, J.: Inductive representation learning on large graphs. In: Guyon, I., et al. (eds.) Advances in Neural Information Processing Systems, vol. 30, pp. 1024–1034. Curran Associates, Inc. (2017)

    Google Scholar 

  13. Han, X., Pasquier, T., Bates, A., Mickens, J., Seltzer, M.: Unicorn: runtime provenance-based detector for advanced persistent threats. arXiv preprint arXiv:2001.01525 (2020)

  14. Hassan, W., Bates, A., Marino, D.: Tactical provenance analysis for endpoint detection and response systems. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 1172–1189. IEEE Computer Society, Los Alamitos, CA, USA, May 2020

    Google Scholar 

  15. Hastie, T., Tibshirani, R., Friedman, J.: The Elements of Statistical Learning: Data Mining, Inference, and Prediction. Springer Science & Business Media, New York (2009). https://doi.org/10.1007/978-0-387-84858-7

  16. He, H., Garcia, E.A.: Learning from imbalanced data. IEEE Trans. Knowl. Data Eng. 21(9), 1263–1284 (2009)

    Article  Google Scholar 

  17. Jiang, X., Walters, A., Xu, D., Spafford, E., Buchholz, F., Wang, Y.M.: Provenance-aware tracing ofworm break-in and contaminations: a process coloring approach. In: 26th IEEE International Conference on Distributed Computing Systems (ICDCS 2006), p. 38 (2006). https://doi.org/10.1109/ICDCS.2006.69

  18. King, S.T., Chen, P.M.: Backtracking intrusions. SIGOPS Oper. Syst. Rev. 37(5), 223–236 (2003)

    Article  Google Scholar 

  19. Kipf, T.N., Welling, M.: Semi-supervised classification with graph convolutional networks. arXiv preprint arXiv:1609.02907 (2016)

  20. Lee, K.H., Zhang, X., Xu, D.: High accuracy attack provenance via binary-based execution partition. In: NDSS (2013)

    Google Scholar 

  21. Liu, X.Y., Wu, J., Zhou, Z.H.: Exploratory undersampling for class-imbalance learning. IEEE Trans. Syst. Man Cybern. Part B (Cybern.) 39(2), 539–550 (2008)

    Google Scholar 

  22. Ma, S., Zhang, X., Xu, D.: Protracer: towards practical provenance tracing by alternating between logging and tainting. In: NDSS (2016)

    Google Scholar 

  23. Milajerdi, S.M., Gjomemo, R., Eshete, B., Sekar, R., Venkatakrishnan, V.: Holmes: real-time APT detection through correlation of suspicious information flows. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1137–1152. IEEE (2019)

    Google Scholar 

  24. Myneni, S., et al.: DAPT 2020 - constructing a benchmark dataset for advanced persistent threats. In: Wang, G., Ciptadi, A., Ahmadzadeh, A. (eds.) MLHat 2020. CCIS, vol. 1271, pp. 138–163. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59621-7_8

    Chapter  Google Scholar 

  25. Oprea, A., Li, Z., Norris, R., Bowers, K.: Made: security analytics for enterprise threat detection. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 124–136. ACSAC 2018. Association for Computing Machinery, New York, NY, USA (2018)

    Google Scholar 

  26. Pasquier, T., et al.: Practical whole-system provenance capture. In: Proceedings of the 2017 Symposium on Cloud Computing, pp. 405–418. SoCC 2017, ACM, New York, NY, USA (2017)

    Google Scholar 

  27. Pasquier, T., et al.: Runtime analysis of whole-system provenance (2018)

    Google Scholar 

  28. Pasquier, T., et al.: Runtime analysis of whole-system provenance. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1601–1616. CCS 2018, ACM, New York, NY, USA (2018)

    Google Scholar 

  29. Pei, K., et al.: Hercule: attack story reconstruction via community discovery on correlated log graph. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 583–595. ACSAC 2016, Association for Computing Machinery, New York, NY, USA (2016)

    Google Scholar 

  30. Perozzi, B., Al-Rfou, R., Skiena, S.: Deepwalk: online learning of social representations. In: Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 701–710 (2014)

    Google Scholar 

  31. Rabanser, S., Shchur, O., Günnemann, S.: Introduction to tensor decompositions and their applications in machine learning. CoRR abs/1711.10781 (2017)

    Google Scholar 

  32. Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings 2002 IEEE Symposium on Security and Privacy, pp. 273–284 (2002)

    Google Scholar 

  33. Sun, Y., Kamel, M.S., Wong, A.K.C., Wang, Y.: Cost-sensitive boosting for classification of imbalanced data. Pattern Recogn. 40(12), 3358–3378 (2007)

    Article  Google Scholar 

  34. Thakur, V.: The sykipot attacks (2011). https://www.symantec.com/connect/blogs/sykipot-attacks

  35. TinkerPop, A.: Apache tinkerpop. https://tinkerpop.apache.org/. Accessed 10 June 2021

  36. Xiang, S., Nie, F., Zhang, C.: Learning a mahalanobis distance metric for data clustering and classification. Pattern Recogn. 41(12), 3600–3612 (2008)

    Article  Google Scholar 

Download references

Acknowledgements

The research reported herein was supported in part by NIST award 60NANB20D178, NSF awards DMS-1737978, DGE-2039542; and an IBM faculty award (Research).

Author information

Authors and Affiliations

  1. The University of Texas at Dallas, 800 West Campbell Road, Richardson, TX, 75080, USA

    Khandakar Ashrafi Akbar, Yigong Wang, Md Shihabul Islam, Latifur Khan & Bhavani Thuraisingham

  2. National Institute of Standards and Technology, 100 Bureau Drive, Gaithersburg, MD, 20899, USA

    Anoop Singhal

Authors
  1. Khandakar Ashrafi Akbar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yigong Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Md Shihabul Islam
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Anoop Singhal
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Latifur Khan
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Bhavani Thuraisingham
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Khandakar Ashrafi Akbar .

Editor information

Editors and Affiliations

  1. Indian Institute of Technology Patna, Patna, India

    Somanath Tripathy

  2. Indian Institute of Technology Bombay, Mumbai, India

    Rudrapatna K. Shyamasundar

  3. Newcastle University, Newcastle upon Tyne, UK

    Rajiv Ranjan

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Akbar, K.A., Wang, Y., Islam, M.S., Singhal, A., Khan, L., Thuraisingham, B. (2021). Identifying Tactics of Advanced Persistent Threats with Limited Attack Traces. In: Tripathy, S., Shyamasundar, R.K., Ranjan, R. (eds) Information Systems Security. ICISS 2021. Lecture Notes in Computer Science(), vol 13146. Springer, Cham. https://doi.org/10.1007/978-3-030-92571-0_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-92571-0_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-92570-3

  • Online ISBN: 978-3-030-92571-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation