Anomaly Traceability Method Combining System Log Detection And Provenance Graph

With the continuous development of network communication technology and computer technology,network security and computer security are increasingly affecting people's life and production.In the process of development,the commercial information and state secret information of enterprises will inevitably become the focus of ”hackers”.And with the continuous innovation of various attack technologies,global advanced persistent threat activities are becoming more active,and more attack methods are hidden in many normal business logic,which makes malicious attacks more difficult to detect,and more difficult to obtain evidence after detection.Therefore,how to detect malicious behaviors from a large number of normal behaviors and how to infer the attack process from the detection results are two important research directions in current computer security.In the current detection and traceability methods,it is relatively common to use a single data carrier such as system log or provenance graph,but the current system log detection and traceability methods have low accuracy and high efficiency,and the detection and traceability methods based on the provenance graph The low efficiency and high accuracy indicate that the problem of imbalance between the accuracy and efficiency of detection and traceability still exists.To solve this problem,an anomaly traceability method is proposed in this paper that combines system log detection and provenance graph.The main body of the method consists of three parts: coarse and fine-grained log collection and detection,log preprocessing,graph construction and attack path extraction.The coarse and fine-grained log collection and detection part firstly collects finegrained logs by deploying camflow,and then uses the log detection method to detect coarse-grained logs.The log preprocessing and graph construction part first processes the fine-grained logs,matches the attributes of the fine-grained logs,filters out the logs that describe a single entity,and then processes the remaining logs into quintuple in json format.The algorithm hashes the attributes in it so that it conforms to the format of the subsequent graph construction,and finally builds it into a preliminary provenance graph by merging some nodes.The attack path extraction part firstly uses the outlier calculation method proposed in this paper to weight the provenance graph,then re-simplifies the provenance graph according to the rules of graph reconstruction,and finally extracts the paths with the largest weights.According to the method proposed in this paper,an anomaly traceability prototype system combining system log detection and provenance graph is designed and implemented,and each module of the system is tested on a simulated data set with 16 types of attack types totaling 290 million logs.Finally,the simulation data sets and real data sets are compared with the four methods of Omega Log,No Doze,ALchemist and UNICORN.The experimental results show that the processing efficiency of the method proposed in this paper is 6.4 times,1.2 times,8.2 times and 1.2 times that of these four methods.And the false positive rate is lower than that of the comparison method,which shows that the method in this paper can ensure the accuracy of the results when it has a high processing efficiency,which verifies that the method in this paper can better balance the processing efficiency and accuracy.