Accurate and Scalable Detection and Investigation of Cyber Persistence Threats

TL;DR

This paper presents CPD, a provenance-based system for detecting cyber persistence threats in APT attacks, significantly reducing false positives through innovative causal analysis and alert triage.

Contribution

The paper introduces pseudo-dependency edges and expert-guided edges to improve detection accuracy and efficiency in identifying persistent threats.

Findings

Reduces false positive rate by 93% compared to existing methods.

Effectively detects persistence setup and execution phases in cyber attacks.

Enhances detection speed and accuracy with novel provenance analysis techniques.

Abstract

In Advanced Persistent Threat (APT) attacks, achieving stealthy persistence within target systems is often crucial for an attacker's success. This persistence allows adversaries to maintain prolonged access, often evading detection mechanisms. Recognizing its pivotal role in the APT lifecycle, this paper introduces Cyber Persistence Detector (CPD), a novel system dedicated to detecting cyber persistence through provenance analytics. CPD is founded on the insight that persistent operations typically manifest in two phases: the "persistence setup" and the subsequent "persistence execution". By causally relating these phases, we enhance our ability to detect persistent threats. First, CPD discerns setups signaling an impending persistent threat and then traces processes linked to remote connections to identify persistence execution activities. A key feature of our system is the introduction of pseudo-dependency edges (pseudo-edges), which effectively connect these disjoint phases using data provenance analysis, and expert-guided edges, which enable faster tracing and reduced log size. These edges empower us to detect persistence threats accurately and efficiently. Moreover, we propose a novel alert triage algorithm that further reduces false positives associated with persistence threats. Evaluations conducted on well-known datasets demonstrate that our system reduces the average false positive rate by 93% compared to state-of-the-art methods.