LogKernel A Threat Hunting Approach Based on Behaviour Provenance Graph and Graph Kernel Clustering

by   Jiawei Li, et al.

Cyber threat hunting is a proactive search process for hidden threats in the organization's information system. It is a crucial component of active defense against advanced persistent threats (APTs). However, most of the current threat hunting methods rely on Cyber Threat Intelligence(CTI), which can find known attacks but cannot find unknown attacks that have not been disclosed by CTI. In this paper, we propose LogKernel, a threat hunting method based on graph kernel clustering which can effectively separates attack behaviour from benign activities. LogKernel first abstracts system audit logs into Behaviour Provenance Graphs (BPGs), and then clusters graphs by embedding them into a continuous space using a graph kernel. In particular, we design a new graph kernel clustering method based on the characteristics of BPGs, which can capture structure information and rich label information of the BPGs. To reduce false positives, LogKernel further quantifies the threat of abnormal behaviour. We evaluate LogKernel on the malicious dataset which includes seven simulated attack scenarios and the DAPRA CADETS dataset which includes four attack scenarios. The result shows that LogKernel can hunt all attack scenarios among them, and compared to the state-of-the-art methods, it can find unknown attacks.


DeepHunter: A Graph Neural Network Based Approach for Robust Cyber Threat Hunting

Cyber Threat hunting is a proactive search for known attack behaviors in...

AnyThreat: An Opportunistic Knowledge Discovery Approach to Insider Threat Detection

Insider threat detection is getting an increased concern from academia, ...

Few-shot Multi-domain Knowledge Rearming for Context-aware Defence against Advanced Persistent Threats

Advanced persistent threats (APTs) have novel features such as multi-sta...

ANUBIS: A Provenance Graph-Based Framework for Advanced Persistent Threat Detection

We present ANUBIS, a highly effective machine learning-based APT detecti...

DeepTaskAPT: Insider APT detection using Task-tree based Deep Learning

APT, known as Advanced Persistent Threat, is a difficult challenge for c...

Clustering of Threat Information to Mitigate Information Overload for Computer Emergency Response Teams

The constantly increasing number of threats and the existing diversity o...

Network Modelling of Criminal Collaborations with Dynamic Bayesian Steady Evolutions

The threat status and criminal collaborations of potential terrorists ar...

Please sign up or login with your details

Forgot password? Click here to reset