Evolving Advanced Persistent Threat Detection using Provenance Graph and Metric Learning

Ayoade, Gbadebo; Akbar, Khandakar Ashrafi; Sahoo, Pracheta; Gao, Yang; Agarwal, Anmol; Jee, Kangkook; Khan, Latifur; Singhal, Anoop

doi:10.1109/cns48642.2020.9162264

Cited by 10 publications

(2 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A detection model that is capable to identify novel APT attacks is proposed in [29] by analyzing provenance graphs derived from system events. By using online metric learning (OML), their model learns a latent feature embedding by minimizing the distance between provenance subgraphs of the same class and maximizing the distance between subgraphs of diferent classes.…”

Section: Related Workmentioning

confidence: 99%

SR2APT: A Detection and Strategic Alert Response Model against Multistage APT Attacks

Fan

Perigo

Curry

2023

Security and Communication Networks

View full text Add to dashboard Cite

Advanced persistent threats are an emerging cyber threat to cyber-physical systems (CPS), especially those comprising mission-critical physical assets. However, defense against such attacks is challenging, due to their sophistication, stealthiness, and zero-day exploitation. Existing works in this area mainly focus on the detection of APT, but it might be too late or too costly to impede APT when it is detected with high confidence. Therefore, this work focuses on CPS intrusion detection and prevention against APT attacks and aims at preventing such attacks in earlier stages through a strategic response policy to imperfect APT alerts by leveraging the multistage characteristic of APT and a deep reinforcement learning formulation. A novel host-based APT detection and response model called SR2APT is proposed, which consists of a detection engine and a decision engine. The detection engine is based on graph convolutional network, which classifies a stream of system log provenance subgraphs as an APT stage or benign. Then, the detection results are transmitted to the decision engine sequentially, which is trained based on deep reinforcement learning and outputs the optimal response actions to APT alerts. Experimental results show that the GCN-based detection engine obtains 94% classification accuracy on a semisynthetic dataset of system logs and outperforms classification models based on SVM, CNN, and LSTM. The strategic alert response policy from the decision engine is compared with two baseline fixed response policies, and it achieves the best trade-off between preventing APT attacks and minimizing the impediments of mistaken active defense actions to benign activities that generate false alerts, thus obtaining the highest total rewards in the defense against APT attacks.

show abstract

Section: Related Workmentioning

confidence: 99%

SR2APT: A Detection and Strategic Alert Response Model against Multistage APT Attacks

Fan

Perigo

Curry

2023

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…For instance, CloudPets, which manufactures smart stuffed toys for children, stored all the data (i.e., email, password, photos, voice recordings) in the unsafe cloud, exposing over 820, 000 user accounts including 2.2 million voice recordings [20]. In addition, adversaries may physically access the machines or obtain root privileges of the machines deployed at the service providers premises and thus steal sensitive information with ease [21].…”

Section: Introductionmentioning

confidence: 99%

Secure IoT Data Analytics in Cloud via Intel SGX

Islam¹,

Özdayi²,

Khan³

et al. 2020

Preprint

Self Cite

View full text Add to dashboard Cite

The growing adoption of IoT devices in our daily life is engendering a data deluge, mostly private information that needs careful maintenance and secure storage system to ensure data integrity and protection. Also, the prodigious IoT ecosystem has provided users with opportunities to automate systems by interconnecting their devices and other services with rule-based programs. The cloud services that are used to store and process sensitive IoT data turn out to be vulnerable to outside threats. Hence, sensitive IoT data and rule-based programs need to be protected against cyberattacks. To address this important challenge, in this paper, we propose a framework to maintain confidentiality and integrity of IoT data and rulebased program execution. We design the framework to preserve data privacy utilizing Trusted Execution Environment (TEE) such as Intel SGX, and end-to-end data encryption mechanism. We evaluate the framework by executing rule-based programs in the SGX securely with both simulated and real IoT device data.

show abstract