Papers
Topics
Authors
Recent
Search
2000 character limit reached

A Cascade Approach for APT Campaign Attribution in System Event Logs: Technique Hunting and Subgraph Matching

Published 29 Oct 2024 in cs.CR | (2410.22602v1)

Abstract: As Advanced Persistent Threats (APTs) grow increasingly sophisticated, the demand for effective detection methods has intensified. This study addresses the challenge of identifying APT campaign attacks through system event logs. A cascading approach, name SFM, combines Technique hunting and APT campaign attribution. Our approach assumes that real-world system event logs contain a vast majority of normal events interspersed with few suspiciously malicious ones and that these logs are annotated with Techniques of MITRE ATT&CK framework for attack pattern recognition. Then, we attribute APT campaign attacks by aligning detected Techniques with known attack sequences to determine the most likely APT campaign. Evaluations on five real-world APT campaigns indicate that the proposed approach demonstrates reliable performance.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (35)
  1. E-ISAC, “Analysis of the cyber attack on the ukrainian power grid,” https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf, 2016.
  2. FireEye, “Highly evasive attacker leverages solarwinds supply chain to compromise multiple global victims with sunburst backdoor,” https://www.mandiant.com/resources/blog/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor, 2020.
  3. Y.-T. Huang, C. Y. Lin, Y.-R. Guo, K.-C. Lo, Y. S. Sun, and M. C. Chen, “Open source intelligence for malicious behavior discovery and interpretation,” IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 2, 2022.
  4. G.-W. Wong, Y.-T. Huang, Y.-R. Guo, Y. Sun, and M. C. Chen, “Attention-based api locating for malware techniques,” IEEE Transactions on Information Forensics and Security, vol. 19, 2024.
  5. Z. Michael, G. Florian, C. Elizabeth, and D. Tharam, “Provenance-based intrusion detection systems: a survey,” ACM Comput. Surv., vol. 55, p. 36, 2022.
  6. S. M. Milajerdi, R. Gjomemo, B. Eshete, R. Sekar, and V. Venkatakrishnan, “Holmes: real-time apt detection through correlation of suspicious information flows,” in IEEE Symposium on Security and Privacy, 2019.
  7. M. N. Hossain, S. Sheikhi, and R. Sekar, “Combating dependence explosion in forensic analysis using alternative tag propagation semantics,” in 2020 IEEE Symposium on Security and Privacy (SP).   IEEE, 2020.
  8. W. U. Hassan, A. Bates, and D. Marino, “Tactical provenance analysis for endpoint detection and response systems,” in IEEE Symposium on Security and Privacy, 2020.
  9. K. Kurniawan, A. Ekelhart, E. Kiesling, G. Quirchmayr, and A. M. Tjoa, “Krystal: Knowledge graph-based framework for tactical attack discovery in audit data,” Computers & Security, vol. 121, p. 102828, 2022.
  10. V. Sachidananda, R. Patil, A. Sachdeva, K.-Y. Lam, and L. Yang, “Apter: Towards the investigation of apt attribution,” in 2023 IEEE Conference on Dependable and Secure Computing (DSC).   IEEE, 2023.
  11. Y. Ren, Y. Xiao, Y. Zhou, Z. Zhang, and Z. Tian, “Cskg4apt: A cybersecurity knowledge graph for advanced persistent threat organization attribution,” IEEE Transactions on Knowledge and Data Engineering, 2022.
  12. D. Sahoo, “Cyber threat attribution with multi-view heuristic analysis,” Handbook of Big Data Analytics and Forensics, 2022.
  13. SharpPanda, “Sharppanda apt campaign expands its arsenal targeting g20 nations,” https://cyble.com/blog/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/, 2023.
  14. E. Aghaei, X. Niu, W. Shadid, and E. Al-Shaer, “Securebert: A domain-specific language model for cybersecurity,” in International Conference on Security and Privacy in Communication Systems.   Springer, 2022.
  15. I. Jolliffe, “Principal component analysis,” Technometrics, vol. 45, no. 3, 2003.
  16. DARPA, “Transparent computing engagement,” https://github.com/darpa-i2o/Transparent-Computing, 2021.
  17. Z. Wen, J. Shi, Q. Li, B. He, and J. Chen, “ThunderSVM: A fast SVM library on GPUs and CPUs,” Journal of Machine Learning Research, vol. 19, 2018.
  18. A. Alsaheel, Y. Nan, S. Ma, L. Yu, G. Walkup, Z. B. Celik, X. Zhang, and D. Xu, “{{\{{ATLAS}}\}}: A sequence-based learning approach for attack investigation,” in 30th USENIX security symposium (USENIX security 21), 2021.
  19. K. Cho, B. van Merrienboer, C. Gulcehre, D. Bahdanau, F. Bougares, H. Schwenk, and Y. Bengio, “Learning phrase representations using rnn encoder–decoder for statistical machine translation,” in Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing (EMNLP), 2014.
  20. J. D. Lafferty, A. McCallum, and F. C. Pereira, “Conditional random fields: Probabilistic models for segmenting and labeling sequence data,” in Proceedings of the Eighteenth International Conference on Machine Learning, 2001.
  21. J. R. Ullmann, “An algorithm for subgraph isomorphism,” Journal of the ACM (JACM), vol. 23, no. 1, 1976.
  22. L. P. Cordella, P. Foggia, C. Sansone, and M. Vento, “A (sub) graph isomorphism algorithm for matching large graphs,” IEEE transactions on pattern analysis and machine intelligence, vol. 26, no. 10, 2004.
  23. Z. Abu-Aisheh, R. Raveaux, J.-Y. Ramel, and P. Martineau, “An exact graph edit distance algorithm for solving pattern recognition problems,” in 4th International Conference on Pattern Recognition Applications and Methods 2015, 2015.
  24. C. Gravino, A. Orsi, M. Risi et al., “Using the normalized levenshtein distance to analyze relationship between faults and local variables with confusing names: A further investigation (s).” in SEKE, 2021, pp. 550–553.
  25. Malwarebytes, “New lnk attack tied to higaisa apt discovered,” https://www.malwarebytes.com/blog/news/2020/06/higaisa, 2020.
  26. APT28, “Cve-2023-38831 exploited by pro-russia hacking groups in ru-ua conflict zone for credential harvesting operations,” https://blog.cluster25.duskrise.com/2023/10/12/cve-2023-38831-russian-attack, 2023.
  27. ptsecurity, “Cobalt strikes back: An evolving multinational threat to finance,” https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf, 2017.
  28. CERT-EE, “Gamaredon infection: From dropper to entry,” https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf, 2021.
  29. Cymmetria, “Unveiling patchwork-the copy-paste apt,” https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf, 2016.
  30. S. dataset, “The synthetic audit log dataset with apt campaign,” https://saga-tw.github.io/dataset/, 2024.
  31. Wikipedia, “Inside–outside–beginning (tagging),” https://en.wikipedia.org/wiki/Inside%E2%80%93outside%E2%80%93beginning_(tagging), 2023.
  32. “Sigma rule repository,” https://github.com/SigmaHQ/sigma, 2024.
  33. J. Zeng, Z. L. Chua, Y. Chen, K. Ji, Z. Liang, and J. Mao, “Watson: Abstracting behaviors from audit logs via aggregation of contextual semantics.” in NDSS, 2021.
  34. J. Zengy, X. Wang, J. Liu, Y. Chen, Z. Liang, T.-S. Chua, and Z. L. Chua, “Shadewatcher: Recommendation-guided cyber threat analysis using system audit records,” in 2022 IEEE Symposium on Security and Privacy (SP).   IEEE, 2022, pp. 489–506.
  35. T. Li, Y. Jiang, C. Lin, M. S. Obaidat, Y. Shen, and J. Ma, “Deepag: Attack graph construction and threats prediction with bi-directional deep learning,” IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 1, pp. 740–757, 2022.
Citations (1)
View on Semantic Scholar

Summary

No one has generated a summary of this paper yet.

Sign Up to Summarize

Paper to Video (Beta)

No one has generated a video about this paper yet.

Sign Up to Generate All Videos Subscribe on YouTube

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Generate Now

Collections

Sign up for free to add this paper to one or more collections.

Sign Up

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.

Sign Up for Free