Litcius/Paper detail

APTHunter: Detecting Advanced Persistent Threats in Early Stages

Moustafa Mahmoud, Mohammad Mannan, Amr Youssef

2022Digital Threats Research and Practice30 citationsDOIOpen Access PDF

Abstract

We propose APTHunter, a system for prompt detection of Advanced and Persistent Threats (APTs) in early stages. We provide an approach for representing the indicators of compromise that appear in the cyber threat intelligence reports and the relationships among them as provenance queries that capture the attacker’s malicious behavior. We use the kernel audit log as a reliable source for system activities and develop an optimized whole system provenance graph that provides the causal relationships and information flows among system entities in a compact format. Then, we model the threat hunting as a behavior match problem by applying provenance queries to the optimized provenance graph to find any hits as indicators of an APT attack. We evaluate APTHunter on adversarial engagements from DARPA over different OS platforms, as well as real-world APT campaigns. Based on our experimental results, APTHunter promptly and reliably detects attack artifacts in early stages.

Topics & Concepts

Computer scienceProvenanceAdversarial systemGraphCompromiseComputer securityData miningTheoretical computer scienceArtificial intelligencePetrologyGeologySociologySocial scienceAdvanced Malware Detection TechniquesNetwork Security and Intrusion DetectionScientific Computing and Data Management