A Rule Mining-Based Advanced Persistent Threats Detection System

TL;DR

This paper presents an unsupervised, OS-independent provenance trace analysis method for early detection of advanced persistent threats, leveraging causal relationships and anomaly ranking to improve detection accuracy.

Contribution

It introduces a novel unsupervised approach using process activity features and causal anomaly ranking for APT detection from provenance traces.

Findings

Outperformed competing methods on DARPA datasets.

Effective in early detection of stealthy APT attacks.

Provides interpretable implications for anomaly explanation.

Abstract

Advanced persistent threats (APT) are stealthy cyber-attacks that are aimed at stealing valuable information from target organizations and tend to extend in time. Blocking all APTs is impossible, security experts caution, hence the importance of research on early detection and damage limitation. Whole-system provenance-tracking and provenance trace mining are considered promising as they can help find causal relationships between activities and flag suspicious event sequences as they occur. We introduce an unsupervised method that exploits OS-independent features reflecting process activity to detect realistic APT-like attacks from provenance traces. Anomalous processes are ranked using both frequent and rare event associations learned from traces. Results are then presented as implications which, since interpretable, help leverage causality in explaining the detected anomalies. When evaluated on Transparent Computing program datasets (DARPA), our method outperformed competing approaches.