Combating Advanced Persistent Threats: Challenges and Solutions

TL;DR

This paper presents a comprehensive approach to defending against advanced persistent threats using provenance graphs, introducing novel detection and reconstruction methods validated through experiments.

Contribution

It proposes a robust APT defense scheme with a distributed audit model, evasion detection strategy, and adversarial subgraph defense, addressing key challenges in the field.

Findings

Effective lateral attack reconstruction demonstrated

Enhanced detection of evasion behaviors achieved

Robust defense against adversarial subgraphs validated

Abstract

The rise of advanced persistent threats (APTs) has marked a significant cybersecurity challenge, characterized by sophisticated orchestration, stealthy execution, extended persistence, and targeting valuable assets across diverse sectors. Provenance graph-based kernel-level auditing has emerged as a promising approach to enhance visibility and traceability within intricate network environments. However, it still faces challenges including reconstructing complex lateral attack chains, detecting dynamic evasion behaviors, and defending smart adversarial subgraphs. To bridge the research gap, this paper proposes an efficient and robust APT defense scheme leveraging provenance graphs, including a network-level distributed audit model for cost-effective lateral attack reconstruction, a trust-oriented APT evasion behavior detection strategy, and a hidden Markov model based adversarial subgraph defense approach. Through prototype implementation and extensive experiments, we validate the effectiveness of our system. Lastly, crucial open research directions are outlined in this emerging field.