A Cascade Approach for APT Campaign Attribution in System Event Logs: Technique Hunting and Subgraph Matching
- URL: http://arxiv.org/abs/2410.22602v1
- Date: Tue, 29 Oct 2024 23:49:28 GMT
- Title: A Cascade Approach for APT Campaign Attribution in System Event Logs: Technique Hunting and Subgraph Matching
- Authors: Yi-Ting Huang, Ying-Ren Guo, Guo-Wei Wong, Meng Chang Chen,
- Abstract summary: This study addresses the challenge of identifying APT campaign attacks through system event logs.
A cascading approach, name SFM, combines Technique hunting and APT campaign attribution.
- Score: 1.0928166738710612
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: As Advanced Persistent Threats (APTs) grow increasingly sophisticated, the demand for effective detection methods has intensified. This study addresses the challenge of identifying APT campaign attacks through system event logs. A cascading approach, name SFM, combines Technique hunting and APT campaign attribution. Our approach assumes that real-world system event logs contain a vast majority of normal events interspersed with few suspiciously malicious ones and that these logs are annotated with Techniques of MITRE ATT&CK framework for attack pattern recognition. Then, we attribute APT campaign attacks by aligning detected Techniques with known attack sequences to determine the most likely APT campaign. Evaluations on five real-world APT campaigns indicate that the proposed approach demonstrates reliable performance.
Related papers
- Detecting APT Malware Command and Control over HTTP(S) Using Contextual Summaries [1.0787328610467801]
We present EarlyCrow, an approach to detect APT malware command and control over HTTP(S) using contextual summaries.
The design of EarlyCrow is informed by a novel threat model focused on TTPs present in traffic generated by tools recently used in APT campaigns.
EarlyCrow defines a novel multipurpose network flow format called PairFlow, which is leveraged to build the contextual summary of a PCAP capture.
arXiv Detail & Related papers (2025-02-07T22:38:39Z) - Slot: Provenance-Driven APT Detection through Graph Reinforcement Learning [26.403625710805418]
Advanced Persistent Threats (APTs) represent sophisticated cyberattacks characterized by their ability to remain undetected for extended periods.
We propose Slot, an advanced APT detection approach based on provenance graphs and graph reinforcement learning.
We show Slot's outstanding accuracy, efficiency, adaptability, and robustness in APT detection, with most metrics surpassing state-of-the-art methods.
arXiv Detail & Related papers (2024-10-23T14:28:32Z) - Chasing the Shadows: TTPs in Action to Attribute Advanced Persistent Threats [3.2183320563774833]
This research aims to assist the threat analyst in the attribution process by presenting an attribution method named CAPTAIN.
The proposed approach outperforms traditional similarity measures like Cosine, Euclidean, and Longest Common Subsequence.
Overall, CAPTAIN performs attribution with the precision of 61.36% (top-1) and 69.98% (top-2), surpassing the existing state-of-the-art attribution methods.
arXiv Detail & Related papers (2024-09-24T18:59:27Z) - AdvQDet: Detecting Query-Based Adversarial Attacks with Adversarial Contrastive Prompt Tuning [93.77763753231338]
Adversarial Contrastive Prompt Tuning (ACPT) is proposed to fine-tune the CLIP image encoder to extract similar embeddings for any two intermediate adversarial queries.
We show that ACPT can detect 7 state-of-the-art query-based attacks with $>99%$ detection rate within 5 shots.
We also show that ACPT is robust to 3 types of adaptive attacks.
arXiv Detail & Related papers (2024-08-04T09:53:50Z) - A Federated Learning Approach for Multi-stage Threat Analysis in Advanced Persistent Threat Campaigns [25.97800399318373]
Multi-stage threats like advanced persistent threats (APT) pose severe risks by stealing data and destroying infrastructure.
APTs use novel attack vectors and evade signature-based detection by obfuscating their network presence.
This paper proposes a novel 3-phase unsupervised federated learning (FL) framework to detect APTs.
arXiv Detail & Related papers (2024-06-19T03:34:41Z) - Unified Physical-Digital Attack Detection Challenge [70.67222784932528]
Face Anti-Spoofing (FAS) is crucial to safeguard Face Recognition (FR) Systems.
UniAttackData is the largest public dataset for Unified Attack Detection.
We organized a Unified Physical-Digital Face Attack Detection Challenge to boost the research in Unified Attack Detections.
arXiv Detail & Related papers (2024-04-09T11:00:11Z) - Task-Agnostic Detector for Insertion-Based Backdoor Attacks [53.77294614671166]
We introduce TABDet (Task-Agnostic Backdoor Detector), a pioneering task-agnostic method for backdoor detection.
TABDet leverages final layer logits combined with an efficient pooling technique, enabling unified logit representation across three prominent NLP tasks.
TABDet can jointly learn from diverse task-specific models, demonstrating superior detection efficacy over traditional task-specific methods.
arXiv Detail & Related papers (2024-03-25T20:12:02Z) - TREC: APT Tactic / Technique Recognition via Few-Shot Provenance Subgraph Learning [31.959092032106472]
We propose TREC, the first attempt to recognize APT tactics from provenance graphs by exploiting deep learning techniques.
To address the "needle in a haystack" problem, TREC segments small and compact subgraphs from a large provenance graph.
We evaluate TREC based on a customized dataset collected and made public by our team.
arXiv Detail & Related papers (2024-02-23T07:05:32Z) - Scalable Ensemble-based Detection Method against Adversarial Attacks for
speaker verification [73.30974350776636]
This paper comprehensively compares mainstream purification techniques in a unified framework.
We propose an easy-to-follow ensemble approach that integrates advanced purification modules for detection.
arXiv Detail & Related papers (2023-12-14T03:04:05Z) - Confidence-driven Sampling for Backdoor Attacks [49.72680157684523]
Backdoor attacks aim to surreptitiously insert malicious triggers into DNN models, granting unauthorized control during testing scenarios.
Existing methods lack robustness against defense strategies and predominantly focus on enhancing trigger stealthiness while randomly selecting poisoned samples.
We introduce a straightforward yet highly effective sampling methodology that leverages confidence scores. Specifically, it selects samples with lower confidence scores, significantly increasing the challenge for defenders in identifying and countering these attacks.
arXiv Detail & Related papers (2023-10-08T18:57:36Z) - PRAT: PRofiling Adversarial aTtacks [52.693011665938734]
We introduce a novel problem of PRofiling Adversarial aTtacks (PRAT)
Given an adversarial example, the objective of PRAT is to identify the attack used to generate it.
We use AID to devise a novel framework for the PRAT objective.
arXiv Detail & Related papers (2023-09-20T07:42:51Z) - ADDMU: Detection of Far-Boundary Adversarial Examples with Data and
Model Uncertainty Estimation [125.52743832477404]
Adversarial Examples Detection (AED) is a crucial defense technique against adversarial attacks.
We propose a new technique, textbfADDMU, which combines two types of uncertainty estimation for both regular and FB adversarial example detection.
Our new method outperforms previous methods by 3.6 and 6.0 emphAUC points under each scenario.
arXiv Detail & Related papers (2022-10-22T09:11:12Z) - Exploring Memorization in Adversarial Training [58.38336773082818]
We investigate the memorization effect in adversarial training (AT) for promoting a deeper understanding of capacity, convergence, generalization, and especially robust overfitting.
We propose a new mitigation algorithm motivated by detailed memorization analyses.
arXiv Detail & Related papers (2021-06-03T05:39:57Z) - A Rule Mining-Based Advanced Persistent Threats Detection System [2.75264806444313]
Advanced persistent threats (APT) are stealthy cyber-attacks aimed at stealing valuable information from target organizations.
Provenance-tracking and trace mining are considered promising as they can help find causal relationships between activities and flag suspicious event sequences as they occur.
We introduce an unsupervised method that exploits OS-independent features reflecting process activity to detect realistic APT-like attacks from provenance traces.
arXiv Detail & Related papers (2021-05-20T22:13:13Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.