ATLASv2: ATLAS Attack Engagements, Version 2

TL;DR

ATLASv2 enhances a cybersecurity dataset by incorporating higher quality background noise and realistic attack scenarios through real user activity and additional logging sources, improving its utility for attack investigation research.

Contribution

It introduces a more realistic and comprehensive dataset with improved benign activity and attack integration, using human researchers and additional logs.

Findings

Enhanced dataset with realistic user behavior logs

Inclusion of Sysmon and VMware Carbon Black Cloud logs

Improved attack scenario realism and data quality

Abstract

ATLASv2 is based on a previously generated dataset included in "ATLAS: A Sequence-based Learning Approach for Attack Investigation." The original ATLAS dataset is comprised of Windows Security Auditing system logs, Firefox logs, and DNS logs via WireShark. In ATLASv2, we aim to enrich the ATLAS dataset with higher quality background noise and additional logging vantage points. This work replicates the ten attack scenarios described in ATLAS, but extends the logging to include Sysmon logs and events tracked through VMware Carbon Black Cloud. The main contribution of ATLASv2 is to improve the quality of the benign system activity and the integration of the attack scenarios. Instead of relying on automated scripts to generate activity, we had two researchers use the victim machines as their primary work stations throughout the course of the engagement. This allowed us to capture system logs on actual user behavior. Additionally, the researchers conducted the attacks in a lab setup allowing the integration of the attack into the work flow of the victim user. This allows the ATLASv2 dataset to provide realistic system logs that mirror the system log activity generated in real-world attacks.