Loading [a11y]/accessibility-menu.js
Conan: A Practical Real-Time APT Detection System With High Accuracy and Efficiency | IEEE Journals & Magazine | IEEE Xplore

Conan: A Practical Real-Time APT Detection System With High Accuracy and Efficiency


Abstract:

Advanced Persistent Threat (APT) attacks have caused serious security threats and financial losses worldwide. Various real-time detection mechanisms that combine context ...Show More

Abstract:

Advanced Persistent Threat (APT) attacks have caused serious security threats and financial losses worldwide. Various real-time detection mechanisms that combine context information and provenance graphs have been proposed to defend against APT attacks. However, existing real-time APT detection mechanisms suffer from accuracy and efficiency issues due to inaccurate detection models and the growing size of provenance graphs. To address the accuracy issue, we propose a novel and accurate APT detection model that removes unnecessary phases and focuses on the remaining ones with improved definitions. To address the efficiency issue, we propose a state-based framework in which events are consumed as streams and each entity is represented in an FSA-like structure without storing historic data. Additionally, we reconstruct attack scenarios by storing just one in a thousand events in a database. Finally, we implement our design, called Conan, on Windows and conduct comprehensive experiments under real-world scenarios to show that Conan can accurately and efficiently detect all attacks within our evaluation. The memory usage and CPU efficiency of Conan remain constant over time (1-10 MB of memory and hundreds of times faster than data generation), making Conan a practical design for detecting both known and unknown APT attacks in real-world scenarios.
Published in: IEEE Transactions on Dependable and Secure Computing ( Volume: 19, Issue: 1, 01 Jan.-Feb. 2022)
Page(s): 551 - 565
Date of Publication: 03 February 2020

ISSN Information:


References

References is not available for this document.