On Preempting Advanced Persistent Threats Using Probabilistic Graphical Models

Cao, Phuong

doi:10.48550/arxiv.1903.08826

Cited by 1 publication

(3 citation statements)

References 53 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Besides their visually attractive properties, the topology of a directed graph is a representation of the attack plan progression. In such graphs, each vertex represents an individual alert, which might come from a variety of security solutions, and each edge represents the progression between two alerts [8]. With their vertices comprised of security alerts, attack graphs are also sometimes called alert graphs, which is the terminology we use in this work.…”

Section: Related Workmentioning

confidence: 99%

“…However, this approach requires heavy manual work, and can not handle cases when multiple attacks are carried-out simultaneously. Finally, in [8] a separate graph is defined for each single asset. This approach results in manageable graphs, but it ignores lateral movement between assets, a common tactic in APT attacks.…”

Section: Related Workmentioning

confidence: 99%

“…A pattern is emerging in the literature where the detection of APTs is composed of numerous small and simple detectors each focused on a single step in the APT chain. Examples of this methodology are [7], [8]. These small detectors are based on either signature-based intrusion detection systems (IDS), user entity behavior analytics (UEBA) [9], or a combination of both.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

RANK: AI-assisted End-to-End Architecture for Detecting Persistent Attacks in Enterprise Networks

Soliman,

Salmon,

Sovilj

et al. 2021

Preprint

View full text Add to dashboard Cite

Advanced Persistent Threats (APTs) are sophisticated multi-step attacks, planned and executed by skilled adversaries targeting modern government and enterprise networks. Intrusion Detection Systems (IDSs) and User and Entity Behavior Analytics (UEBA) are commonly employed to aid a security analyst in the detection of APTs. The prolonged nature of APTs, combined with the granular focus of UEBA and IDS, results in overwhelming the analyst with an increasingly impractical number of alerts. Consequent to this abundance of data, and together with the crucial importance of the problem as well as the high cost of the skilled personnel involved, the problem of APT detection becomes a perfect candidate for automation through Artificial Intelligence (AI). In this paper, we provide, up to our knowledge, the first study and implementation of an end-to-end AI-assisted architecture for detecting APTs -RANK. The goal of the system is not to replace the analyst, rather, it is to automate the complete pipeline from data sources to a final set of incidents for analyst review. The architecture is composed of four consecutive steps: 1) alert templating and merging, 2) alert graph construction, 3) alert graph partitioning into incidents, and 4) incident scoring and ordering. We evaluate our architecture against the 2000 DARPA Intrusion Detection dataset, as well as a read-world private dataset from a mediumscale enterprise. Extensive results are provided showing a three order of magnitude reduction in the amount of data to be reviewed by the analyst, innovative extraction of incidents and security-wise scoring of extracted incidents.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%