| Nowadays,sophisticated APT(Advanced and Persistent Threats)attacks which conducted by skilled adversaries are increasing.They also combine social engineer-ing techniques(such as phishing)with advanced exploit techniques to quietly attack targets.These attacks often involve multiple attack steps.Besides,this process will include 0-day attacks which usually exploit vulnerabilities that are unknown to public,including network defenders.The information gap between attackers and defenders makes detection of 0-day attacks extremely difficult,we need a new strat-egy and tools to detect these multi-step attacks.To overcome aforementioned problems,we first parse the system audit log information which records all the interaction of the system with the kernel.Then we construct provenance graph using system audit log and control the scale of the graph with graph compaction.Finally,we find the attack path on the graph and detect the multi-step attack.The contribution of this paper is summarized as follows:1.We construct a version-based provenance graph using system audit log and then identifying the attack paths hidden in it.We make rules to match the attack behavior on the graph.Find the interconnection between the various attack stage,and design a multi-step attack detection algorithm which explores the attack path and reveal the attacker's intention.2.We proposed the methodology of compacting the large-scale of the prove-nance graph.Massive graph data will not only cause a large time and space over-head,but also cause a path explosion problem due to the amount number of search paths.This paper uses graph compaction to remove the point independent of the attack path and control the number of nodes in the graph.3.We designed and implemented the system prototype,which can effectively detects multi-step attack.And the system applies label propagation methods to avoid repeated graph traversal and improve system efficiency. |
PDF Full Text Request