计算机科学
审计
入侵检测系统
图形
数据挖掘
钥匙(锁)
审计跟踪
机器学习
人工智能
计算机安全
理论计算机科学
经济
管理
作者
Yuedong Pan,Liang Cai,Tao Leng,Lei Zhao,Jiangang Ma,Aimin Yu,Dan Meng
出处
期刊:Security and Privacy in Communication Networks
日期:2023-01-01
卷期号:: 510-528
标识
DOI:10.1007/978-3-031-25538-0_27
摘要
In an enterprise environment, intrusion detection systems generate many threat alerts on anomalous events every day, and these alerts may involve certain steps of a long-dormant advanced persistent threat (APT). In this paper, we present AttackMiner, an attack detection framework that combines contextual information from audit logs. Our main observation is that the same attack behavior may occur in various possible contexts, and combining various possible contextual information can provide more effective information for detecting such attacks. We utilize a combination of provenance graph causal analysis and deep learning techniques to build a graph-structure-based model that builds key patterns of attack graphs and benign graphs from audit logs. During detection, the detection system creates provenance graphs using the input audit logs. After being optimized by our customized graph optimization mechanism, it identifies whether an attack has occurred. Our evaluations on the DARPA TC dataset show that AttackMiner can successfully detect attack behaviors with high accuracy and efficiency. Through this effort, we provide security investigators with a new approach of identifying attack activity from audit logs.
科研通智能强力驱动
Strongly Powered by AbleSci AI