APThreatHunter: An automated planning-based threat hunting framework

TL;DR

APThreatHunter is an automated framework that uses planning techniques to generate hypotheses for cyber threat hunting, reducing manual effort and bias, and demonstrated effectiveness with real-world Android malware samples.

Contribution

It introduces an automated planning-based approach to hypothesis generation in cyber threat hunting, minimizing human intervention and bias.

Findings

Effective hypothesis generation with real-world malware data

Reduced time and cost in threat hunting processes

Validated practicality of planning-based approach

Abstract

Cyber attacks threaten economic interests, critical infrastructure, and public health and safety. To counter this, entities adopt cyber threat hunting, a proactive approach that involves formulating hypotheses and searching for attack patterns within organisational networks. Automating cyber threat hunting presents challenges, particularly in generating hypotheses, as it is a manually created and confirmed process, making it time-consuming. To address these challenges, we introduce APThreatHunter, an automated threat hunting solution that generates hypotheses with minimal human intervention, eliminating analyst bias and reducing time and cost. This is done by presenting possible risks based on the system's current state and a set of indicators to indicate whether any of the detected risks are happening or not. We evaluated APThreatHunter using real-world Android malware samples, and the results revealed the practicality of using automated planning for goal hypothesis generation in cyber threat hunting activities.