APTSHIELD: A Stable, Efficient and Real-time APT Detection System for Linux Hosts

TL;DR

APTSHIELD is a novel Linux host APT detection system that offers stable, efficient, and real-time attack detection by leveraging kernel data audit, optimized data processing, and an ATT&CK-based detection framework, outperforming existing solutions.

Contribution

This paper introduces APTSHIELD, a comprehensive APT detection system for Linux that improves accuracy, efficiency, and real-time response compared to prior methods.

Findings

Effectively detects web vulnerability, file-less, and remote access Trojan attacks.

Achieves low false positive rate in diverse testing environments.

Reduces data processing overhead through semantic skipping and node pruning.

Abstract

Advanced Persistent Threat (APT) attack usually refers to the form of long-term, covert and sustained attack on specific targets, with an adversary using advanced attack techniques to destroy the key facilities of an organization. APT attacks have caused serious security threats and massive financial loss worldwide. Academics and industry thereby have proposed a series of solutions to detect APT attacks, such as dynamic/static code analysis, traffic detection, sandbox technology, endpoint detection and response (EDR), etc. However, existing defenses are failed to accurately and effectively defend against the current APT attacks that exhibit strong persistent, stealthy, diverse and dynamic characteristics due to the weak data source integrity, large data processing overhead and poor real-time performance in the process of real-world scenarios. To overcome these difficulties, in this paper we propose APTSHIELD, a stable, efficient and real-time APT detection system for Linux hosts. In the aspect of data collection, audit is selected to stably collect kernel data of the operating system so as to carry out a complete portrait of the attack based on comprehensive analysis and comparison of existing logging tools; In the aspect of data processing, redundant semantics skipping and non-viable node pruning are adopted to reduce the amount of data, so as to reduce the overhead of the detection system; In the aspect of attack detection, an APT attack detection framework based on ATT\&CK model is designed to carry out real-time attack response and alarm through the transfer and aggregation of labels. Experimental results on both laboratory and Darpa Engagement show that our system can effectively detect web vulnerability attacks, file-less attacks and remote access trojan attacks, and has a low false positive rate, which adds far more value than the existing frontier work.