Abstract
The forensics of Advanced Persistent Threat (APT) attacks, known for their prolonged duration and utilization of multiple attack methods, require extensive log analysis to discern their attack steps. Facing the massive amount of data, researchers have increasingly turned to extended machine learning methods to enhance attack forensics. However, the limited number of attack samples used for training and the inability of the data to accurately represent real-world scenarios pose significant challenges. To address these issues, we propose ASAI, an attack deduction model that leverages auxiliary strategies and dynamic word embeddings. Firstly, ASAI tackles the problem of data imbalance through a sequence sampling method enhanced by a custom auxiliary strategy. Subsequently, the sequences are transformed into dynamic vectors using dynamic word embedding. The model is trained to capture the spatio-temporal characteristics of entities under diverse contextual conditions by employing these dynamic vectors. In this paper, ASAI is evaluated using ten real-world APT attacks executed within an actual virtual environment. The results demonstrate ASAI’s ability to successfully recover the key steps of the attacks and construct attack stories, achieving an impressive F1 score of up to 99.70%-a significant 16.98% improvement over the baseline which uses one-hot embedding after resample.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alsaheel, A., et al.: Atlas: a sequence-based learning approach for attack investigation. In: USENIX Security Symposium, pp. 3005–3022 (2021)
Gilmer, J., Schoenholz, S.S., Riley, P.F., Vinyals, O., Dahl, G.E.: Neural message passing for quantum chemistry. In: International Conference on Machine Learning, pp. 1263–1272. PMLR (2017)
Han, X., Pasquier, T., Bates, A., Mickens, J., Seltzer, M.: Unicorn: runtime provenance-based detector for advanced persistent threats. arXiv preprint arXiv:2001.01525 (2020)
Han, X., et al.: SIGL: securing software installations through deep graph learning. In: USENIX Security Symposium, pp. 2345–2362 (2021)
Hassan, W.U., Bates, A., Marino, D.: Tactical provenance analysis for endpoint detection and response systems. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 1172–1189. IEEE (2020)
Hassan, W.U., et al.: NODOZE: combatting threat alert fatigue with automated provenance triage. In: Network and Distributed Systems Security Symposium (2019)
Hassan, W.U., Noureddine, M.A., Datta, P., Bates, A.: OmegaLog: high-fidelity attack investigation via transparent multi-layer log analysis. In: Network and Distributed System Security Symposium (2020)
Hossain, M.N., Sheikhi, S., Sekar, R.: Combating dependence explosion in forensic analysis using alternative tag propagation semantics. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 1139–1155. IEEE (2020)
Kapoor, M., Melton, J., Ridenhour, M., Krishnan, S., Moyer, T.: PROV-GEM: automated provenance analysis framework using graph embeddings. In: 2021 20th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 1720–1727. IEEE (2021)
Khoury, J., Upthegrove, T., Caro, A., Benyo, B., Kong, D.: An event-based data model for granular information flow tracking. In: Proceedings of the 12th USENIX Conference on Theory and Practice of Provenance, p. 1 (2020)
Kwon, Y., et al.: MCI: modeling-based causality inference in audit logging for attack investigation. In: NDSS, vol. 2, p. 4 (2018)
Lagraa, S., Amrouche, K., Seba, H., et al.: A simple graph embedding for anomaly detection in a stream of heterogeneous labeled graphs. Pattern Recogn. 112, 107746 (2021)
Landauer, M., Skopik, F., Wurzenberger, M., Hotwagner, W., Rauber, A.: Have it your way: generating customized log datasets with a model-driven simulation testbed. IEEE Trans. Reliab. 70(1), 402–415 (2020)
Li, J., Zhang, R., Liu, J., Liu, G., et al.: LogKernel: a threat hunting approach based on behaviour provenance graph and graph kernel clustering. In: Security and Communication Networks 2022 (2022)
Liu, F., Wen, Y., Zhang, D., Jiang, X., Xing, X., Meng, D.: Log2vec: a heterogeneous graph embedding based approach for detecting cyber threats within enterprise. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1777–1794 (2019)
Liu, Y., et al.: Towards a timely causality analysis for enterprise security. In: NDSS (2018)
Ma, S., Zhai, J., Wang, F., Lee, K.H., Zhang, X., Xu, D.: MPI: multiple perspective attack investigation with semantic aware execution partitioning. In: USENIX Security Symposium, pp. 1111–1128 (2017)
Michael, N., Mink, J., Liu, J., Gaur, S., Hassan, W.U., Bates, A.: On the forensic validity of approximated audit logs. In: Annual Computer Security Applications Conference, pp. 189–202 (2020)
Milajerdi, S.M., Gjomemo, R., Eshete, B., Sekar, R., Venkatakrishnan, V.: Holmes: real-time apt detection through correlation of suspicious information flows. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1137–1152. IEEE (2019)
Nieto, A.: Becoming JUDAS: correlating users and devices during a digital investigation. IEEE Trans. Inf. Forensics Secur. 15, 3325–3334 (2020)
Plisson, J., Lavrac, N., Mladenic, D., et al.: A rule based approach to word lemmatization. In: Proceedings of IS, vol. 3, pp. 83–86 (2004)
Tabiban, A., Zhao, H., Jarraya, Y., Pourzandi, M., Zhang, M., Wang, L.: ProvTalk: towards interpretable multi-level provenance analysis in networking functions virtualization (NFV). In: The Network and Distributed System Security Symposium 2022 (NDSS 2022) (2022)
Wang, Q., et al.: You are what you do: hunting stealthy malware via data provenance analysis. In: NDSS (2020)
Yang, F., Xu, J., Xiong, C., Li, Z., Zhang, K.: PROGRAPHER: an anomaly detection system based on provenance graph embedding (2023)
Yu, L., et al.: ALchemist: fusing application and audit logs for precise attack provenance without instrumentation. In: NDSS (2021)
Zeng, J., Chua, Z.L., Chen, Y., Ji, K., Liang, Z., Mao, J.: WATSON: abstracting behaviors from audit logs via aggregation of contextual semantics. In: NDSS (2021)
Zengy, J., et al.: SHADEWATCHER: recommendation-guided cyber threat analysis using system audit records. In: 2022 IEEE Symposium on Security and Privacy (SP), pp. 489–506. IEEE (2022)
Zhu, T., et al.: General, efficient, and real-time data compaction strategy for APT forensic analysis. IEEE Trans. Inf. Forensics Secur. 16, 3312–3325 (2021)
Acknowledgements
This work was supported in part by the National Key Research and Development Program of China (No. 2020YFB1805400); in part by the National Natural Science Foundation of China (No. U19A2068, No. 62032002, and No. 62101358); in part by Youth Foundation of Sichuan (Grant No. 2023NSFSC1395); in part by the China Postdoctoral Science Foundation (No. 2020M683345); Fundamental Research Funds for the Central Universities (Grant No. 2023SCU12127); in part by Joint Innovation Fund of Sichuan University and Nuclear Power Institute of China (Grant No. HG2022143).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Jiang, T., He, J., Li, T., Fang, W., Li, W., Tang, C. (2024). An Attack Entity Deducing Model for Attack Forensics. In: Luo, B., Cheng, L., Wu, ZG., Li, H., Li, C. (eds) Neural Information Processing. ICONIP 2023. Communications in Computer and Information Science, vol 1969. Springer, Singapore. https://doi.org/10.1007/978-981-99-8184-7_26
Download citation
DOI: https://doi.org/10.1007/978-981-99-8184-7_26
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-8183-0
Online ISBN: 978-981-99-8184-7
eBook Packages: Computer ScienceComputer Science (R0)