A baseline for unsupervised advanced persistent threat detection in system-level provenance

Berrada, Ghita; Cheney, James; Benabderrahmane, Sidahmed; Maxwell, William L.; Mookherjee, Himan; Theriault, Alec; Wright, Ryan

doi:10.1016/j.future.2020.02.015

Cited by 24 publications

(11 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Researchers have pointed out and scrutinized this challenge, which is to a great extent related to the failure in preventing and detecting targeted attacks using existing conventional techniques. [13] and [14] This failure has led to breaches involving confidential information and documents of organizations and government agencies. Existing methods have been ineffective in the fight against APT activities in the user, application, network and physical plane.…”

Section: Astesj Issn: 2415-6698mentioning

confidence: 99%

“…A dataset of 1228 log events classified using Support Vector Machine algorithm showed an accuracy level of 98.67% [22]. Several machine learning algorithms have been proposed and applied to mitigating APT, but the most common algorithms used with APT detection and prevention are majorly: Simple Vector Machine (SVM), K-Nearest Neighbor (KNN), Decision Tree and Random forest [3], [14], [23] and [24]. This narrows down the machine learning algorithms to four for this study.…”

Section: Related Workmentioning

confidence: 99%

“…The choice of these algorithms was based on the frequency of their utilization in APT like researches. [3], [14], [23] and [24]. The Dataset, which is in PCAP (Packet Capture) format, is feed at the top of Figure 5 as network traffic.…”

Section: Research Hypothesismentioning

confidence: 99%

See 2 more Smart Citations

Improved Detection of Advanced Persistent Threats Using an Anomaly Detection Ensemble Approach

Ishaya¹,

Ajibola²,

Hashim³

et al. 2021

Adv. sci. technol. eng. syst. j.

View full text Add to dashboard Cite

Rated a high-risk cyber-attack type, Advanced Persistent Threat (APT) has become a cause for concern to cyber security experts. Detecting the presence of APT in order to mitigate this attack has been a major challenge as successful attacks to large organizations still abound. Our approach combines static rule anomaly detection through pattern recognition and machine learning-based classification technique in mitigating the APT. (1) The rules-based on patterns are derived using statistical analysis majorly Kruskal Wallis test for association. A Packet Capture (PCAP) dataset with 1,047,908 packet header data is analyzed in an attempt, to identify malicious versus normal data traffic patterns. 90% of the attack traffic utilizes unassigned and dynamic/private ports and, also data sizes of between 0 and 58 bytes.(2) The machine learning approach narrows down the algorithm utilized by evaluating the accuracy levels of four algorithms: K-Nearest Neighbor (KNN), Support Vector Machine (SVM), Decision Tree and Random Forest with the accuracies 99.74, 87.11, 99.84 and 99.90 percent respectively. A load balance approach and modified entropy formula was applied to Random Forest. The model combines the two techniques giving it a minimum accuracy of 99.95% with added capabilities of detecting false positives. The results for both methods are matched in order to make a final decision. This approach can be easily adopted, as the data required is packet header data, visible in every network and provides results with commendable levels of accuracy, and the challenges of false positives greatly reduced.

show abstract

Section: Astesj Issn: 2415-6698mentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Improved Detection of Advanced Persistent Threats Using an Anomaly Detection Ensemble Approach

Ishaya¹,

Ajibola²,

Hashim³

et al. 2021

Adv. sci. technol. eng. syst. j.

View full text Add to dashboard Cite

show abstract

“…According to Berrada et al (2020), traditional security systems do not solve the problem of APTs, they are among current undetectable systems.…”

Section: Literature Reviewmentioning

confidence: 99%

Advanced Persistent Threats (APT)-Attribution-MICTIC Framework Extension

Brandao¹

2021

Journal of Computer Science

View full text Add to dashboard Cite

Analysis of one of the fundamental parts of the Advanced Persistent Threats (APT) Attacks. The phases of the APTs, their framing with the identification of criminals. Type of attack that normally requires resources only available to the State-State hacking. The importance of Attribution in the analysis of APTS. The unique and differentiating characteristics of this type of attacks compared to traditional cyber-attacks. Development of an extension for one of the few Frameworks applied to Attribution in APTs, the MICTIC.

show abstract

“…For example, Barre et al [22] build a classifier to detect cyber-attacks on top of a set of features (e.g., total quantity of data written, number of system files used) extracted from the provenance data. Berrada et al [23] extract Boolean-valued features (called contexts) from the provenance graph, and treat cyber-attack detection as an anomaly detection task by using unsupervised learning technique. Xiang et al [24] extract different features from two separated platforms (i.e., PC platforms and mobile platforms), and use several machine learning algorithms to detect cyber-attacks based on the combined features.…”

Section: Related Workmentioning

confidence: 99%

A Heterogeneous Graph Learning Model for Cyber-Attack Detection

Lv¹,

Dong²,

Chen³

et al. 2021

Preprint

View full text Add to dashboard Cite

A cyber-attack is a malicious attempt by experienced hackers to breach the target information system. Usually, the cyber-attacks are characterized as hybrid TTPs (Tactics, Techniques, and Procedures) and long-term adversarial behaviors, making the traditional intrusion detection methods ineffective. Most existing cyber-attack detection systems are implemented based on manually designed rules by referring to domain knowledge (e.g., threat models, threat intelligences). However, this process is lack of intelligence and generalization ability. Aiming at this limitation, this paper proposes an intelligent cyber-attack detection method based on provenance data. To effective and efficient detect cyber-attacks from a huge number of system events in the provenance data, we firstly model the provenance data by a heterogeneous graph to capture the rich context information of each system entities (e.g., process, file, socket, etc.), and learns a semantic vector representation for each system entity. Then, we perform online cyber-attack detection by sampling a small and compact local graph from the heterogeneous graph, and classifying the key system entities as malicious or benign. We conducted a series of experiments on two provenance datasets with real cyber-attacks. The experiment results show that the proposed method outperforms other learning based detection models, and has competitive performance against state-of-the-art rule based cyber-attack detection systems.

show abstract

A baseline for unsupervised advanced persistent threat detection in system-level provenance

Cited by 24 publications

References 32 publications

Improved Detection of Advanced Persistent Threats Using an Anomaly Detection Ensemble Approach

Improved Detection of Advanced Persistent Threats Using an Anomaly Detection Ensemble Approach

Advanced Persistent Threats (APT)-Attribution-MICTIC Framework Extension

A Heterogeneous Graph Learning Model for Cyber-Attack Detection

Contact Info

Product

Resources

About