TRACE: Enterprise-Wide Provenance Tracking for Real-Time APT Detection

Irshad, Hassaan; Ciocarlie, Gabriela F.; Gehani, Ashish; Yegneswaran, Vinod; Lee, Kyu Hyoung; Patel, Jignesh M.; Jha, Somesh; Kwon, Yonghwi; Xu, Dongyan; Zhang, Xiangyu

doi:10.1109/tifs.2021.3098977

Cited by 34 publications

(20 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Irshad et al [13] have proposed TRACE, a provenance tracking system for enterprise-wide APT detection. TRACE offers host-level provenance tracking at the granularity of program executions units and integrates provenance collected from individual hosts to construct distributed enterprise-wide causal graphs.…”

Section: A Apt Detection In Enterprise Networkmentioning

confidence: 99%

See 1 more Smart Citation

RAPTOR: Advanced Persistent Threat Detection in Industrial IoT via Attack Stage Correlation

Kumar¹,

Thing²

2023

Preprint

View full text Add to dashboard Cite

IIoT (Industrial Internet-of-Things) systems are getting more prone to attacks by APT (Advanced Persistent Threat) adversaries. Past APT attacks on IIoT systems such as the 2016 Ukrainian power grid attack which cut off the capital Kyiv off power for an hour and the 2017 Saudi petrochemical plant attack which almost shut down the plant's safety controllers have shown that APT campaigns can disrupt industrial processes, shut down critical systems and endanger human lives. In this work, we propose RAPTOR, a system to detect APT campaigns in IIoT environments. RAPTOR detects and correlates various APT attack stages (adapted to IIoT) using multiple data sources. Subsequently, it constructs a high-level APT campaign graph which can be used by cybersecurity analysts towards attack analysis and mitigation. A performance evaluation of RAPTOR's APT stage detection stages shows high precision and low false positive/negative rates. We also show that RAPTOR is able to construct the APT campaign graph for APT attacks (modelled after real-world attacks on ICS/OT infrastructure) executed on our IIoT testbed.

show abstract

Section: A Apt Detection In Enterprise Networkmentioning

confidence: 99%

“…• While [10], [11], [13] have been designed using audit logs-based provenance and [14] has been designed using enterprise logs, [12] has been designed using network IDS alerts. Since each of these works is based on a single data source, they are unable to leverage the information provided by other data sources.…”

Section: A Apt Detection In Enterprise Networkmentioning

confidence: 99%

RAPTOR: Advanced Persistent Threat Detection in Industrial IoT via Attack Stage Correlation

Kumar¹,

Thing²

2023

Preprint

View full text Add to dashboard Cite

show abstract

“…For those interested in more details about the commonly used datasets, refer to Nisioti et al (2018) and Ring et al (2019). Irshad et al (2021) used a host monitoring component to collect forensic artifacts at runtime, which was evaluated with five attack engagements conducted experimentally. The artifacts were collected from two perspectives, namely system calls and unit-based selective instrumentation (UBSI).…”

Section: Literature Reviewmentioning

confidence: 99%

Toward situational awareness in threat detection. A survey

Rendall

Mylonas

Vidalis

2021

WIREs Forensic Science

View full text Add to dashboard Cite

The pervasiveness of the Internet did not come without security risk. The current threat landscape is characterized by the rise of sophisticated cyber attacks, which target user devices and corporate infrastructure. To tackle the risk of compromise, data-driven detection strategies have become increasingly mainstream. The relevant literature includes many works that leverage opensource datasets, supervised learning or, less commonly, unsupervised learning. However, advanced network attacks' spatial and temporal characteristics prove standalone threat detection systems inadequate, especially for detecting a multi-stage attack and often stealthy techniques. Moreover, attackers have been demonstrating adversarial effects that are caused by deception and contaminating data-driven methods with adversarial learning. For these reasons, recent research in threat detection is moving away from commonly, and often obsolete, datasets as well as adopting more multi-layered decision strategies.As such, this article provides a comprehensive review of decision strategies. We also examine their ability to support cyber situational awareness (CSA), providing to security analysts CSA properties such as situation assessment and system refinement.

show abstract

“…Compared to the network traffic that cannot fully reflect the semantics of the behavior, kernel-level events are more traceable and immune to encryption. Therefore, many researchers use kernel-level events for cyber security, such as [1,2,3,4,5,6].…”

Section: Introductionmentioning

confidence: 99%

Kellect: a Kernel-Based Efficient and Lossless Event Log Collector

Chen¹,

Song²,

Qiu³

et al. 2022

Preprint

View full text Add to dashboard Cite

As an essential element for log analysis, the system kernel-based event can be effectively employed in the hybrid computing environment integrated with cloud, edge, and endpoint for intelligent threat detection. However, the issues of massiveness, heterogeneity, and semantic redundancy have become the biggest challenges in event-based security analysis. Unfortunately, there is no comprehensive tool to collect and analyze its kernel logs for the widely used OS Windows. This paper proposes a kernel-based event log collector named Kellect, a multi-thread tool built on ETW(events tracing for Windwos). Kellect can provide very compressed but most valuable kernel event data for generalpurpose analysis on software anomaly detection. Experimental results in real-world show that Kellect can collect kernel event logs generated from FileIO, Process, Thread, Images, Register, and Network, with efficient and lossless. The total performance is three times higher than that of existing tools. The CPU cost stays only at around 1%, while the memory consumption is less than 50MB. As an important application case, the data collected by Kellect is proved to be utilized to build proper model to detect APT after transformed into provenance graphs with complete semantics. At last, a large experiments for the full techniques from ATT&CK are conducted, and the full relevant log dataset is collected using Kellect. To our best knowledge, it is the first precise and public benchmark sample dataset for kernel event-based APT detection.

show abstract

TRACE: Enterprise-Wide Provenance Tracking for Real-Time APT Detection

Cited by 34 publications

References 34 publications

RAPTOR: Advanced Persistent Threat Detection in Industrial IoT via Attack Stage Correlation

RAPTOR: Advanced Persistent Threat Detection in Industrial IoT via Attack Stage Correlation

Toward situational awareness in threat detection. A survey

Kellect: a Kernel-Based Efficient and Lossless Event Log Collector

Contact Info

Product

Resources

About