A Rule Mining-Based Advanced Persistent Threats Detection System
- URL: http://arxiv.org/abs/2105.10053v1
- Date: Thu, 20 May 2021 22:13:13 GMT
- Title: A Rule Mining-Based Advanced Persistent Threats Detection System
- Authors: Sidahmed Benabderrahmane, Ghita Berrada, James Cheney, and Petko
Valtchev
- Abstract summary: Advanced persistent threats (APT) are stealthy cyber-attacks aimed at stealing valuable information from target organizations.
Provenance-tracking and trace mining are considered promising as they can help find causal relationships between activities and flag suspicious event sequences as they occur.
We introduce an unsupervised method that exploits OS-independent features reflecting process activity to detect realistic APT-like attacks from provenance traces.
- Score: 2.75264806444313
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Advanced persistent threats (APT) are stealthy cyber-attacks that are aimed
at stealing valuable information from target organizations and tend to extend
in time. Blocking all APTs is impossible, security experts caution, hence the
importance of research on early detection and damage limitation. Whole-system
provenance-tracking and provenance trace mining are considered promising as
they can help find causal relationships between activities and flag suspicious
event sequences as they occur. We introduce an unsupervised method that
exploits OS-independent features reflecting process activity to detect
realistic APT-like attacks from provenance traces. Anomalous processes are
ranked using both frequent and rare event associations learned from traces.
Results are then presented as implications which, since interpretable, help
leverage causality in explaining the detected anomalies. When evaluated on
Transparent Computing program datasets (DARPA), our method outperformed
competing approaches.
Related papers
- Accurate and Scalable Detection and Investigation of Cyber Persistence Threats [6.426529295074839]
This paper introduces Cyber Persistence Detector (CPD), a novel system dedicated to detecting cyber persistence through provenance analytics.
CPD discerns setups signaling an impending persistent threat and then traces processes linked to remote connections to identify persistence execution activities.
We propose a novel alert triage algorithm that further reduces false positives associated with persistence threats.
arXiv Detail & Related papers (2024-07-26T15:51:49Z) - RAPID: Robust APT Detection and Investigation Using Context-Aware Deep Learning [26.083244046813512]
We introduce a novel deep learning-based method for robust APT detection and investigation.
By utilizing self-supervised sequence learning and iteratively learned embeddings, our approach effectively adapts to dynamic system behavior.
Our evaluation demonstrates RAPID's effectiveness and computational efficiency in real-world scenarios.
arXiv Detail & Related papers (2024-06-08T05:39:24Z) - LTRDetector: Exploring Long-Term Relationship for Advanced Persistent Threats Detection [20.360010908574303]
Advanced Persistent Threat (APT) is challenging to detect due to prolonged duration, infrequent occurrence, and adept concealment techniques.
Existing approaches primarily concentrate on the observable traits of attack behaviors, neglecting the intricate relationships formed throughout the persistent attack lifecycle.
We present an innovative APT detection framework named LTRDetector, implementing an end-to-end holistic operation.
arXiv Detail & Related papers (2024-04-04T02:30:51Z) - You Cannot Escape Me: Detecting Evasions of SIEM Rules in Enterprise Networks [2.310746340159112]
We present AMIDES, an open-source proof-of-concept adaptive misuse detection system.
We show that AMIDES successfully detects a majority of these evasions without any false alerts.
arXiv Detail & Related papers (2023-11-16T21:05:12Z) - The Adversarial Implications of Variable-Time Inference [47.44631666803983]
We present an approach that exploits a novel side channel in which the adversary simply measures the execution time of the algorithm used to post-process the predictions of the ML model under attack.
We investigate leakage from the non-maximum suppression (NMS) algorithm, which plays a crucial role in the operation of object detectors.
We demonstrate attacks against the YOLOv3 detector, leveraging the timing leakage to successfully evade object detection using adversarial examples, and perform dataset inference.
arXiv Detail & Related papers (2023-09-05T11:53:17Z) - On the Universal Adversarial Perturbations for Efficient Data-free
Adversarial Detection [55.73320979733527]
We propose a data-agnostic adversarial detection framework, which induces different responses between normal and adversarial samples to UAPs.
Experimental results show that our method achieves competitive detection performance on various text classification tasks.
arXiv Detail & Related papers (2023-06-27T02:54:07Z) - Illusory Attacks: Information-Theoretic Detectability Matters in Adversarial Attacks [76.35478518372692]
We introduce epsilon-illusory, a novel form of adversarial attack on sequential decision-makers.
Compared to existing attacks, we empirically find epsilon-illusory to be significantly harder to detect with automated methods.
Our findings suggest the need for better anomaly detectors, as well as effective hardware- and system-level defenses.
arXiv Detail & Related papers (2022-07-20T19:49:09Z) - SAGE: Intrusion Alert-driven Attack Graph Extractor [4.530678016396476]
Attack graphs (AGs) are used to assess pathways availed by cyber adversaries to penetrate a network.
We propose to automatically learn AGs based on actions observed through intrusion alerts, without prior expert knowledge.
arXiv Detail & Related papers (2021-07-06T17:45:02Z) - Exploring Robustness of Unsupervised Domain Adaptation in Semantic
Segmentation [74.05906222376608]
We propose adversarial self-supervision UDA (or ASSUDA) that maximizes the agreement between clean images and their adversarial examples by a contrastive loss in the output space.
This paper is rooted in two observations: (i) the robustness of UDA methods in semantic segmentation remains unexplored, which pose a security concern in this field; and (ii) although commonly used self-supervision (e.g., rotation and jigsaw) benefits image tasks such as classification and recognition, they fail to provide the critical supervision signals that could learn discriminative representation for segmentation tasks.
arXiv Detail & Related papers (2021-05-23T01:50:44Z) - No Need to Know Physics: Resilience of Process-based Model-free Anomaly
Detection for Industrial Control Systems [95.54151664013011]
We present a novel framework to generate adversarial spoofing signals that violate physical properties of the system.
We analyze four anomaly detectors published at top security conferences.
arXiv Detail & Related papers (2020-12-07T11:02:44Z) - Adversarial vs behavioural-based defensive AI with joint, continual and
active learning: automated evaluation of robustness to deception, poisoning
and concept drift [62.997667081978825]
Recent advancements in Artificial Intelligence (AI) have brought new capabilities to behavioural analysis (UEBA) for cyber-security.
In this paper, we present a solution to effectively mitigate this attack by improving the detection process and efficiently leveraging human expertise.
arXiv Detail & Related papers (2020-01-13T13:54:36Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.