TREC: APT Tactic / Technique Recognition via Few-Shot Provenance Subgraph Learning

• URL: http://arxiv.org/abs/2402.15147v2
• Date: Wed, 11 Sep 2024 06:35:21 GMT
• Title: TREC: APT Tactic / Technique Recognition via Few-Shot Provenance Subgraph Learning
• Authors: Mingqi Lv, HongZhe Gao, Xuebo Qiu, Tieming Chen, Tiantian Zhu, Jinyin Chen, Shouling Ji,
• Abstract summary: We propose TREC, the first attempt to recognize APT tactics from provenance graphs by exploiting deep learning techniques. To address the "needle in a haystack" problem, TREC segments small and compact subgraphs from a large provenance graph. We evaluate TREC based on a customized dataset collected and made public by our team.
• Score: 31.959092032106472
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: APT (Advanced Persistent Threat) with the characteristics of persistence, stealth, and diversity is one of the greatest threats against cyber-infrastructure. As a countermeasure, existing studies leverage provenance graphs to capture the complex relations between system entities in a host for effective APT detection. In addition to detecting single attack events as most existing work does, understanding the tactics / techniques (e.g., Kill-Chain, ATT&CK) applied to organize and accomplish the APT attack campaign is more important for security operations. Existing studies try to manually design a set of rules to map low-level system events to high-level APT tactics / techniques. However, the rule based methods are coarse-grained and lack generalization ability, thus they can only recognize APT tactics and cannot identify fine-grained APT techniques and mutant APT attacks. In this paper, we propose TREC, the first attempt to recognize APT tactics / techniques from provenance graphs by exploiting deep learning techniques. To address the "needle in a haystack" problem, TREC segments small and compact subgraphs covering individual APT technique instances from a large provenance graph based on a malicious node detection model and a subgraph sampling algorithm. To address the "training sample scarcity" problem, TREC trains the APT tactic / technique recognition model in a few-shot learning manner by adopting a Siamese neural network. We evaluate TREC based on a customized dataset collected and made public by our team. The experiment results show that TREC significantly outperforms state-of-the-art systems in APT tactic recognition and TREC can also effectively identify APT techniques.

Related papers

• A Lightweight IDS for Early APT Detection Using a Novel Feature Selection Method [0.0]
  An Advanced Persistent Threat (APT) is a multistage, highly sophisticated, and covert form of cyber threat.<n>We propose a feature selection method for developing a lightweight intrusion detection system.
  arXiv  Detail & Related papers  (2025-06-13T09:07:56Z)
• Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures [1.0787328610467801]
  This study examines the evolution of Advanced Persistent Threats (APTs) over 22 years. We focus on their evasion techniques and how they stay undetected for months or years. The most popular protocol to deploy evasion techniques is using HTTP(S) with 81% of APT campaigns.
  arXiv  Detail & Related papers  (2025-02-12T22:38:50Z)
• Detecting APT Malware Command and Control over HTTP(S) Using Contextual Summaries [1.0787328610467801]
  We present EarlyCrow, an approach to detect APT malware command and control over HTTP(S) using contextual summaries. The design of EarlyCrow is informed by a novel threat model focused on TTPs present in traffic generated by tools recently used in APT campaigns. EarlyCrow defines a novel multipurpose network flow format called PairFlow, which is leveraged to build the contextual summary of a PCAP capture.
  arXiv  Detail & Related papers  (2025-02-07T22:38:39Z)
• Adversarial Prompt Distillation for Vision-Language Models [63.24270920122456]
  Adversarial Prompt Tuning (APT) applies adversarial training during the process of prompt tuning. APD is a bimodal knowledge distillation framework that enhances APT by integrating it with multi-modal knowledge transfer. Extensive experiments on multiple benchmark datasets demonstrate the superiority of our APD method over the current state-of-the-art APT methods.
  arXiv  Detail & Related papers  (2024-11-22T03:02:13Z)
• A Cascade Approach for APT Campaign Attribution in System Event Logs: Technique Hunting and Subgraph Matching [1.0928166738710612]
  This study addresses the challenge of identifying APT campaign attacks through system event logs. A cascading approach, name SFM, combines Technique hunting and APT campaign attribution.
  arXiv  Detail & Related papers  (2024-10-29T23:49:28Z)
• Slot: Provenance-Driven APT Detection through Graph Reinforcement Learning [26.403625710805418]
  Advanced Persistent Threats (APTs) represent sophisticated cyberattacks characterized by their ability to remain undetected for extended periods. We propose Slot, an advanced APT detection approach based on provenance graphs and graph reinforcement learning. We show Slot's outstanding accuracy, efficiency, adaptability, and robustness in APT detection, with most metrics surpassing state-of-the-art methods.
  arXiv  Detail & Related papers  (2024-10-23T14:28:32Z)
• Chasing the Shadows: TTPs in Action to Attribute Advanced Persistent Threats [3.2183320563774833]
  This research aims to assist the threat analyst in the attribution process by presenting an attribution method named CAPTAIN. The proposed approach outperforms traditional similarity measures like Cosine, Euclidean, and Longest Common Subsequence. Overall, CAPTAIN performs attribution with the precision of 61.36% (top-1) and 69.98% (top-2), surpassing the existing state-of-the-art attribution methods.
  arXiv  Detail & Related papers  (2024-09-24T18:59:27Z)
• Active Test-Time Adaptation: Theoretical Analyses and An Algorithm [51.84691955495693]
  Test-time adaptation (TTA) addresses distribution shifts for streaming test data in unsupervised settings. We propose the novel problem setting of active test-time adaptation (ATTA) that integrates active learning within the fully TTA setting.
  arXiv  Detail & Related papers  (2024-04-07T22:31:34Z)
• Task-Agnostic Detector for Insertion-Based Backdoor Attacks [53.77294614671166]
  We introduce TABDet (Task-Agnostic Backdoor Detector), a pioneering task-agnostic method for backdoor detection. TABDet leverages final layer logits combined with an efficient pooling technique, enabling unified logit representation across three prominent NLP tasks. TABDet can jointly learn from diverse task-specific models, demonstrating superior detection efficacy over traditional task-specific methods.
  arXiv  Detail & Related papers  (2024-03-25T20:12:02Z)
• NODLINK: An Online System for Fine-Grained APT Attack Detection and Investigation [15.803901489811318]
  NodLink is the first online detection system that maintains high detection accuracy without sacrificing detection granularity. We propose a novel design of in-memory cache, an efficient attack screening method, and a new approximation algorithm that is more efficient than the conventional one in APT attack detection.
  arXiv  Detail & Related papers  (2023-11-04T05:36:59Z)
• MERTech: Instrument Playing Technique Detection Using Self-Supervised Pretrained Model With Multi-Task Finetuning [17.307289537499184]
  We propose to apply a self-supervised learning model pre-trained on large-scale unlabeled music data and finetune it on IPT detection tasks. Our method outperforms prior approaches in both frame-level and event-level metrics across multiple IPT benchmark datasets.
  arXiv  Detail & Related papers  (2023-10-15T15:00:00Z)
• DPTDR: Deep Prompt Tuning for Dense Passage Retrieval [53.217524851268216]
  Deep prompt tuning (DPT) has gained great success in most natural language processing(NLP) tasks. However, it is not well-investigated in dense retrieval where fine-tuning(FT) still dominates. We propose two model-agnostic and task-agnostic strategies for DPT-based retrievers, namely retrieval-oriented intermediate pretraining and unified negative mining.
  arXiv  Detail & Related papers  (2022-08-24T12:55:00Z)
• Adversarial Attacks and Defense for Non-Parametric Two-Sample Tests [73.32304304788838]
  This paper systematically uncovers the failure mode of non-parametric TSTs through adversarial attacks. To enable TST-agnostic attacks, we propose an ensemble attack framework that jointly minimizes the different types of test criteria. To robustify TSTs, we propose a max-min optimization that iteratively generates adversarial pairs to train the deep kernels.
  arXiv  Detail & Related papers  (2022-02-07T11:18:04Z)
• Exploring Memorization in Adversarial Training [58.38336773082818]
  We investigate the memorization effect in adversarial training (AT) for promoting a deeper understanding of capacity, convergence, generalization, and especially robust overfitting. We propose a new mitigation algorithm motivated by detailed memorization analyses.
  arXiv  Detail & Related papers  (2021-06-03T05:39:57Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.