SPARSE: Semantic Tracking and Path Analysis for Attack Investigation in Real-time
- URL: http://arxiv.org/abs/2405.02629v1
- Date: Sat, 4 May 2024 10:19:28 GMT
- Title: SPARSE: Semantic Tracking and Path Analysis for Attack Investigation in Real-time
- Authors: Jie Ying, Tiantian Zhu, Wenrui Cheng, Qixuan Yuan, Mingjun Ma, Chunlin Xiong, Tieming Chen, Mingqi Lv, Yan Chen,
- Abstract summary: We propose SPARSE, an efficient system for constructing critical component graphs (i.e., consisting of critical events) from streaming logs.
Our evaluation on a real large-scale attack dataset shows that SPARSE can generate a critical component graph ( 113 edges) in 1.6 seconds.
SPARSE is 25 X more effective than other state-of-the-art techniques in filtering irrelevant edges.
- Score: 7.477027371128296
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: As the complexity and destructiveness of Advanced Persistent Threat (APT) increase, there is a growing tendency to identify a series of actions undertaken to achieve the attacker's target, called attack investigation. Currently, analysts construct the provenance graph to perform causality analysis on Point-Of-Interest (POI) event for capturing critical events (related to the attack). However, due to the vast size of the provenance graph and the rarity of critical events, existing attack investigation methods suffer from problems of high false positives, high overhead, and high latency. To this end, we propose SPARSE, an efficient and real-time system for constructing critical component graphs (i.e., consisting of critical events) from streaming logs. Our key observation is 1) Critical events exist in a suspicious semantic graph (SSG) composed of interaction flows between suspicious entities, and 2) Information flows that accomplish attacker's goal exist in the form of paths. Therefore, SPARSE uses a two-stage framework to implement attack investigation (i.e., constructing the SSG and performing path-level contextual analysis). First, SPARSE operates in a state-based mode where events are consumed as streams, allowing easy access to the SSG related to the POI event through semantic transfer rule and storage strategy. Then, SPARSE identifies all suspicious flow paths (SFPs) related to the POI event from the SSG, quantifies the influence of each path to filter irrelevant events. Our evaluation on a real large-scale attack dataset shows that SPARSE can generate a critical component graph (~ 113 edges) in 1.6 seconds, which is 2014 X smaller than the backtracking graph (~ 227,589 edges). SPARSE is 25 X more effective than other state-of-the-art techniques in filtering irrelevant edges.
Related papers
- HELP: HyperNode Expansion and Logical Path-Guided Evidence Localization for Accurate and Efficient GraphRAG [53.30561659838455]
Large Language Models (LLMs) often struggle with inherent knowledge boundaries and hallucinations.<n>Retrieval-Augmented Generation (RAG) frequently overlooks structural interdependencies essential for multi-hop reasoning.<n>Help achieves competitive performance across multiple simple and multi-hop QA benchmarks and up to a 28.8$times$ speedup over leading Graph-based RAG baselines.
arXiv Detail & Related papers (2026-02-24T14:05:29Z) - Breaking the Static Graph: Context-Aware Traversal for Robust Retrieval-Augmented Generation [12.71443292660797]
We propose CatRAG, Context-Aware Traversal for robust RAG.<n>CatRAG builds on the HippoRAG 2 architecture and transforms the static KG into a query-adaptive navigation structure.<n> Experiments across four multi-hop benchmarks demonstrate that CatRAG consistently outperforms state of the art baselines.
arXiv Detail & Related papers (2026-02-02T11:13:38Z) - TPPR: APT Tactic / Technique Pattern Guided Attack Path Reasoning for Attack Investigation [0.0]
We propose TPPR, a novel framework that first extracts anomaly subgraphs through abnormal node detection, TTP-annotation and graph pruning.<n> TPPR's capability to achieve 99.9% graph simplification (700,000 to 20 edges) while preserving 91% of critical attack nodes, outperforming state-of-the-art solutions (SPARSE, DepImpact) by 63.1% and 67.9% in reconstruction precision while maintaining attack scenario integrity.
arXiv Detail & Related papers (2025-10-25T07:13:07Z) - IDGraphs: Intrusion Detection and Analysis Using Stream Compositing [8.0129134921247]
IDGraphs is an interactive visualization system for intrusion detection.<n>We apply IDGraphs to a real network router data-set with 179M flow-level records representing a total traffic of 1.16TB.<n>The system successfully detects and analyzes a variety of attacks and anomalies.
arXiv Detail & Related papers (2025-06-26T16:08:20Z) - Cluster-Aware Attacks on Graph Watermarks [50.19105800063768]
We introduce a cluster-aware threat model in which adversaries apply community-guided modifications to evade detection.
Our results show that cluster-aware attacks can reduce attribution accuracy by up to 80% more than random baselines.
We propose a lightweight embedding enhancement that distributes watermark nodes across graph communities.
arXiv Detail & Related papers (2025-04-24T22:49:28Z) - Enforcing Fundamental Relations via Adversarial Attacks on Input Parameter Correlations [76.2226569692207]
Correlations between input parameters play a crucial role in many scientific classification tasks.
We present a new adversarial attack algorithm called Random Distribution Shuffle Attack (RDSA)
We demonstrate the RDSA effectiveness on six classification tasks.
arXiv Detail & Related papers (2025-01-09T21:45:09Z) - Unified Semantic Log Parsing and Causal Graph Construction for Attack Attribution [3.9936021096611576]
Multi-source logs provide a comprehensive overview of ongoing system activities, allowing for in-depth analysis to detect potential threats.
A practical approach for threat detection involves explicit extraction of entity triples (subject, action, object) towards building graphs to facilitate the analysis of system behavior.
We contribute with a novel unified framework coined UTL, which adopts semantic analysis to construct causal graphs by merging multiple sub-graphs from individual log sources.
arXiv Detail & Related papers (2024-11-22T21:40:19Z) - A Flow is a Stream of Packets: A Stream-Structured Data Approach for DDoS Detection [32.22817720403158]
We propose a new tree-based DDoS detection approach that operates on a flow as a stream structure.
Our approach matches or exceeds existing machine learning techniques' accuracy, including state-of-the-art deep learning methods.
arXiv Detail & Related papers (2024-05-12T09:29:59Z) - Marlin: Knowledge-Driven Analysis of Provenance Graphs for Efficient and Robust Detection of Cyber Attacks [32.77246634664381]
We introduce Marlin, which approaches cyber attack detection through real-time provenance graph alignment.
Marlin can process 137K events per second while accurately identifying 120 subgraphs with 31 confirmed attacks, along with only 1 false positive.
arXiv Detail & Related papers (2024-03-19T08:37:13Z) - Effective In-vehicle Intrusion Detection via Multi-view Statistical
Graph Learning on CAN Messages [9.04771951523525]
In-vehicle network (IVN) is facing a wide variety of complex and changing external cyber-attacks.
Only coarse-grained recognition can be achieved in current mainstream intrusion detection mechanisms.
We propose StatGraph: an Effective Multi-view Statistical Graph Learning Intrusion Detection.
arXiv Detail & Related papers (2023-11-13T03:49:55Z) - PRAT: PRofiling Adversarial aTtacks [52.693011665938734]
We introduce a novel problem of PRofiling Adversarial aTtacks (PRAT)
Given an adversarial example, the objective of PRAT is to identify the attack used to generate it.
We use AID to devise a novel framework for the PRAT objective.
arXiv Detail & Related papers (2023-09-20T07:42:51Z) - Pair then Relation: Pair-Net for Panoptic Scene Graph Generation [54.92476119356985]
Panoptic Scene Graph (PSG) aims to create a more comprehensive scene graph representation using panoptic segmentation instead of boxes.
Current PSG methods have limited performance, which hinders downstream tasks or applications.
We present a novel framework: Pair then Relation (Pair-Net), which uses a Pair Proposal Network (PPN) to learn and filter sparse pair-wise relationships between subjects and objects.
arXiv Detail & Related papers (2023-07-17T17:58:37Z) - Zebra: Deeply Integrating System-Level Provenance Search and Tracking
for Efficient Attack Investigation [17.51791844411799]
We propose Zebra, a system that integrates attack pattern search and causal dependency tracking for efficient attack investigation.
Zebra provides (1) an expressive and concise domain-specific language, Tstl, for performing various types of search and tracking analyses, and (2) an optimized language execution engine for efficient execution over a big amount of auditing data.
arXiv Detail & Related papers (2022-11-10T08:13:19Z) - On Trace of PGD-Like Adversarial Attacks [77.75152218980605]
Adversarial attacks pose safety and security concerns for deep learning applications.
We construct Adrial Response Characteristics (ARC) features to reflect the model's gradient consistency.
Our method is intuitive, light-weighted, non-intrusive, and data-undemanding.
arXiv Detail & Related papers (2022-05-19T14:26:50Z) - ERGO: Event Relational Graph Transformer for Document-level Event
Causality Identification [24.894074201193927]
Event-level Event Causality Identification (DECI) aims to identify causal relations between event pairs in a document.
We propose a novel Graph TransfOrmer (ERGO) framework for DECI.
arXiv Detail & Related papers (2022-04-15T12:12:16Z) - Zero-Query Transfer Attacks on Context-Aware Object Detectors [95.18656036716972]
Adversarial attacks perturb images such that a deep neural network produces incorrect classification results.
A promising approach to defend against adversarial attacks on natural multi-object scenes is to impose a context-consistency check.
We present the first approach for generating context-consistent adversarial attacks that can evade the context-consistency check.
arXiv Detail & Related papers (2022-03-29T04:33:06Z) - ADC: Adversarial attacks against object Detection that evade Context
consistency checks [55.8459119462263]
We show that even context consistency checks can be brittle to properly crafted adversarial examples.
We propose an adaptive framework to generate examples that subvert such defenses.
Our results suggest that how to robustly model context and check its consistency, is still an open problem.
arXiv Detail & Related papers (2021-10-24T00:25:09Z) - Graph Backdoor [53.70971502299977]
We present GTA, the first backdoor attack on graph neural networks (GNNs)
GTA departs in significant ways: it defines triggers as specific subgraphs, including both topological structures and descriptive features.
It can be instantiated for both transductive (e.g., node classification) and inductive (e.g., graph classification) tasks.
arXiv Detail & Related papers (2020-06-21T19:45:30Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.