Attack Effect Model based Malicious Behavior Detection

TL;DR

This paper introduces FEAD, a novel attack detection framework that improves security event coverage, reduces monitoring overhead, and enhances detection accuracy by leveraging attack models, task decomposition, and locality-aware analysis.

Contribution

The paper presents FEAD, a comprehensive attack detection framework that integrates attack model-driven monitoring, efficient task distribution, and locality-aware anomaly analysis, addressing key limitations of traditional methods.

Findings

FEAD achieves 8.23% higher F1-score than existing solutions.

FEAD operates with only 5.4% monitoring overhead.

The framework effectively detects malicious activities with improved accuracy.

Abstract

Traditional security detection methods face three key challenges: inadequate data collection that misses critical security events, resource-intensive monitoring systems, and poor detection algorithms with high false positive rates. We present FEAD (Focus-Enhanced Attack Detection), a framework that addresses these issues through three innovations: (1) an attack model-driven approach that extracts security-critical monitoring items from online attack reports for comprehensive coverage; (2) efficient task decomposition that optimally distributes monitoring across existing collectors to minimize overhead; and (3) locality-aware anomaly analysis that leverages the clustering behavior of malicious activities in provenance graphs to improve detection accuracy. Evaluations demonstrate FEAD achieves 8.23% higher F1-score than existing solutions with only 5.4% overhead, confirming that focus-based designs significantly enhance detection performance.