Multi-Stage Attack Detection via Kill Chain State Machines

03/26/2021
by   Florian Wilkens, et al.
0

Today, human security analysts collapse under the sheer volume of alerts they have to triage during investigations. The inability to cope with this load, coupled with a high false positive rate of alerts, creates alert fatigue. This results in failure to detect complex attacks, such as advanced persistent threats (APTs), because they manifest over long time frames and attackers tread carefully to evade detection mechanisms. In this paper, we contribute a new method to synthesize attack graphs from state machines. We use the network direction to derive potential attack stages from single and meta-alerts and model resulting attack scenarios in a kill chain state machine (KCSM). Our algorithm yields a graphical summary of the attack, APT scenario graphs, where nodes represent involved hosts and edges infection activity. We evaluate the feasibility of our approach in multiple experiments based on the CSE-CIC-IDS2018 data set. We obtain up to 446 458 singleton alerts that our algorithm condenses into 700 APT scenario graphs resulting in a reduction of up to three orders of magnitude. This reduction makes it feasible for human analysts to effectively triage potential incidents. An evaluation on the same data set, in which we embedded a synthetic yet realistic APT campaign, supports the applicability of our approach of detecting and contextualizing complex attacks. The APT scenario graphs constructed by our algorithm correctly link large parts of the APT campaign and present a coherent view to support the human analyst in further analyses.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
11/16/2020

MAAC: Novel Alert Correlation Method To Detect Multi-step Attack

With the continuous improvement of attack methods, there are more and mo...
research
11/14/2018

A Game Theoretic Approach for Dynamic Information Flow Tracking to Detect Multi-Stage Advanced Persistent Threats

Advanced Persistent Threats (APTs) infiltrate cyber systems and compromi...
research
05/09/2019

Bidirectional RNN-based Few-shot Training for Detecting Multi-stage Attack

"Feint Attack", as a new type of APT attack, has become the focus of att...
research
12/16/2021

APTSHIELD: A Stable, Efficient and Real-time APT Detection System for Linux Hosts

Advanced Persistent Threat (APT) attack usually refers to the form of lo...
research
07/24/2020

Stochastic Dynamic Information Flow Tracking Game using Supervised Learning for Detecting Advanced Persistent Threats

Advanced persistent threats (APTs) are organized prolonged cyberattacks ...
research
02/01/2018

Anomaly Detection in Log Data using Graph Databases and Machine Learning to Defend Advanced Persistent Threats

Advanced Persistent Threats (APTs) are a main impendence in cyber securi...
research
09/01/2023

Cross-temporal Detection of Novel Ransomware Campaigns: A Multi-Modal Alert Approach

We present a novel approach to identify ransomware campaigns derived fro...

Please sign up or login with your details

Forgot password? Click here to reset