LogKernel A Threat Hunting Approach Based on Behaviour Provenance Graph and Graph Kernel Clustering

TL;DR

LogKernel is a novel threat hunting approach that uses behavior provenance graph clustering and graph kernels to detect both known and unknown cyber threats effectively.

Contribution

It introduces a new graph kernel clustering method tailored for behavior provenance graphs, enabling detection of unknown attacks beyond existing threat intelligence methods.

Findings

Successfully detects all attack scenarios in tested datasets.

Outperforms state-of-the-art methods in identifying unknown threats.

Reduces false positives through behavior quantification.

Abstract

Cyber threat hunting is a proactive search process for hidden threats in the organization's information system. It is a crucial component of active defense against advanced persistent threats (APTs). However, most of the current threat hunting methods rely on Cyber Threat Intelligence(CTI), which can find known attacks but cannot find unknown attacks that have not been disclosed by CTI. In this paper, we propose LogKernel, a threat hunting method based on graph kernel clustering which can effectively separates attack behaviour from benign activities. LogKernel first abstracts system audit logs into Behaviour Provenance Graphs (BPGs), and then clusters graphs by embedding them into a continuous space using a graph kernel. In particular, we design a new graph kernel clustering method based on the characteristics of BPGs, which can capture structure information and rich label information of the BPGs. To reduce false positives, LogKernel further quantifies the threat of abnormal behaviour. We evaluate LogKernel on the malicious dataset which includes seven simulated attack scenarios and the DAPRA CADETS dataset which includes four attack scenarios. The result shows that LogKernel can hunt all attack scenarios among them, and compared to the state-of-the-art methods, it can find unknown attacks.