On Preempting Advanced Persistent Threats Using Probabilistic Graphical Models

TL;DR

This paper introduces PULSAR, a probabilistic graphical model-based framework that predicts and preempts advanced persistent threats in real-time by analyzing security event patterns, demonstrating high accuracy and quick response times.

Contribution

The paper presents PULSAR, a novel framework that uses factor graphs to infer attack progression and enable preemptive actions against APTs, with proven effectiveness in real-world scenarios.

Findings

PULSAR accurately detects 91.7% of past APTs.

Preemptive actions prevented 8 out of 10 unseen attacks.

Decisions are made within approximately one second.

Abstract

This paper presents PULSAR, a framework for pre-empting Advanced Persistent Threats (APTs). PULSAR employs a probabilistic graphical model (specifically a Factor Graph) to infer the time evolution of an attack based on observed security events at runtime. PULSAR (i) learns the statistical significance of patterns of events from past attacks; (ii) composes these patterns into FGs to capture the progression of the attack; and (iii) decides on preemptive actions. PULSAR's accuracy and its performance are evaluated in three experiments at SystemX: (i) a study with a dataset containing 120 successful APTs over the past 10 years (PULSAR accurately identifies 91.7%); (ii) replaying of a set of ten unseen APTs (PULSAR stops 8 out of 10 replayed attacks before system integrity violation, and all ten before data exfiltration); and (iii) a production deployment of PULSAR (during a month-long deployment, PULSAR took an average of one second to make a decision).