LogKernel A Threat Hunting Approach Based on Behaviour Provenance Graph and Graph Kernel Clustering

08/18/2022
by   Jiawei Li, et al.
0

Cyber threat hunting is a proactive search process for hidden threats in the organization's information system. It is a crucial component of active defense against advanced persistent threats (APTs). However, most of the current threat hunting methods rely on Cyber Threat Intelligence(CTI), which can find known attacks but cannot find unknown attacks that have not been disclosed by CTI. In this paper, we propose LogKernel, a threat hunting method based on graph kernel clustering which can effectively separates attack behaviour from benign activities. LogKernel first abstracts system audit logs into Behaviour Provenance Graphs (BPGs), and then clusters graphs by embedding them into a continuous space using a graph kernel. In particular, we design a new graph kernel clustering method based on the characteristics of BPGs, which can capture structure information and rich label information of the BPGs. To reduce false positives, LogKernel further quantifies the threat of abnormal behaviour. We evaluate LogKernel on the malicious dataset which includes seven simulated attack scenarios and the DAPRA CADETS dataset which includes four attack scenarios. The result shows that LogKernel can hunt all attack scenarios among them, and compared to the state-of-the-art methods, it can find unknown attacks.

READ FULL TEXT
research
04/20/2021

DeepHunter: A Graph Neural Network Based Approach for Robust Cyber Threat Hunting

Cyber Threat hunting is a proactive search for known attack behaviors in...
research
12/01/2018

AnyThreat: An Opportunistic Knowledge Discovery Approach to Insider Threat Detection

Insider threat detection is getting an increased concern from academia, ...
research
06/13/2023

Few-shot Multi-domain Knowledge Rearming for Context-aware Defence against Advanced Persistent Threats

Advanced persistent threats (APTs) have novel features such as multi-sta...
research
12/21/2021

ANUBIS: A Provenance Graph-Based Framework for Advanced Persistent Threat Detection

We present ANUBIS, a highly effective machine learning-based APT detecti...
research
08/31/2021

DeepTaskAPT: Insider APT detection using Task-tree based Deep Learning

APT, known as Advanced Persistent Threat, is a difficult challenge for c...
research
10/25/2022

Clustering of Threat Information to Mitigate Information Overload for Computer Emergency Response Teams

The constantly increasing number of threats and the existing diversity o...
research
07/08/2020

Network Modelling of Criminal Collaborations with Dynamic Bayesian Steady Evolutions

The threat status and criminal collaborations of potential terrorists ar...

Please sign up or login with your details

Forgot password? Click here to reset