RAPID: Robust APT Detection and Investigation Using Context-Aware Deep Learning

TL;DR

RAPID is a deep learning-based system that improves advanced persistent threat detection by reducing false positives and enhancing interpretability through context-aware anomaly detection and provenance tracing.

Contribution

It introduces a novel, adaptive deep learning approach leveraging self-supervised learning and provenance data for robust APT detection and investigation.

Findings

Higher precision and recall than state-of-the-art methods

Significantly reduced false positives

Effective in real-world scenarios

Abstract

Advanced persistent threats (APTs) pose significant challenges for organizations, leading to data breaches, financial losses, and reputational damage. Existing provenance-based approaches for APT detection often struggle with high false positive rates, a lack of interpretability, and an inability to adapt to evolving system behavior. We introduce RAPID, a novel deep learning-based method for robust APT detection and investigation, leveraging context-aware anomaly detection and alert tracing. By utilizing self-supervised sequence learning and iteratively learned embeddings, our approach effectively adapts to dynamic system behavior. The use of provenance tracing both enriches the alerts and enhances the detection capabilities of our approach. Our extensive evaluation demonstrates RAPID's effectiveness and computational efficiency in real-world scenarios. In addition, RAPID achieves higher precision and recall than state-of-the-art methods, significantly reducing false positives. RAPID integrates contextual information and facilitates a smooth transition from detection to investigation, providing security teams with detailed insights to efficiently address APT threats.