Multi-Stage Attack Detection via Kill Chain State Machines

Proceedings of the 3rd Workshop on Cyber-Security Arms Race Pub Date : 2021-03-26 DOI:10.1145/3474374.3486918

Florian Wilkens, Felix Ortmann, Steffen Haas, Matthias Vallentin, Mathias Fischer

{"title":"Multi-Stage Attack Detection via Kill Chain State Machines","authors":"Florian Wilkens, Felix Ortmann, Steffen Haas, Matthias Vallentin, Mathias Fischer","doi":"10.1145/3474374.3486918","DOIUrl":null,"url":null,"abstract":"Today, human security analysts need to sift through large volumes of alerts they have to triage during investigations. This alert fatigue results in failure to detect complex attacks, such as advanced persistent threats (APTs), because they manifest over long time frames and attackers tread carefully to evade detection mechanisms. In this paper, we contribute a new method to synthesize scenario graphs from state machines. We use the network direction to derive potential attack stages from single and meta-alerts and model resulting attack scenarios in a kill chain state machine(KCSM). Our algorithm yields a graphical summary of the attack, called APT scenario graphs, where nodes represent involved hosts and edges infection activity. We evaluate the feasibility of our approach by injecting an APT campaign into a network traffic data set containing both benign and malicious activity. Our approach then generates a set of APT scenario graphs that contain our injected campaign while reducing the overall alert set by up to three orders of magnitude. This reduction makes it feasible for human analysts to effectively triage potential incidents.","PeriodicalId":319965,"journal":{"name":"Proceedings of the 3rd Workshop on Cyber-Security Arms Race","volume":"41 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-03-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"13","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 3rd Workshop on Cyber-Security Arms Race","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3474374.3486918","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 13

Abstract

Today, human security analysts need to sift through large volumes of alerts they have to triage during investigations. This alert fatigue results in failure to detect complex attacks, such as advanced persistent threats (APTs), because they manifest over long time frames and attackers tread carefully to evade detection mechanisms. In this paper, we contribute a new method to synthesize scenario graphs from state machines. We use the network direction to derive potential attack stages from single and meta-alerts and model resulting attack scenarios in a kill chain state machine(KCSM). Our algorithm yields a graphical summary of the attack, called APT scenario graphs, where nodes represent involved hosts and edges infection activity. We evaluate the feasibility of our approach by injecting an APT campaign into a network traffic data set containing both benign and malicious activity. Our approach then generates a set of APT scenario graphs that contain our injected campaign while reducing the overall alert set by up to three orders of magnitude. This reduction makes it feasible for human analysts to effectively triage potential incidents.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

基于杀伤链状态机的多阶段攻击检测

如今，人类安全分析师需要筛选大量警报，以便在调查期间进行分类。这种警报疲劳导致无法检测复杂的攻击，例如高级持续性威胁(apt)，因为它们会在很长一段时间内出现，攻击者会小心翼翼地逃避检测机制。本文提出了一种从状态机合成场景图的新方法。我们使用网络方向从单个和元警报中派生出潜在的攻击阶段，并在杀伤链状态机(KCSM)中对所产生的攻击场景进行建模。我们的算法生成攻击的图形摘要，称为APT场景图，其中节点表示涉及的主机和边缘感染活动。我们通过向包含良性和恶意活动的网络流量数据集注入APT活动来评估我们方法的可行性。然后，我们的方法生成一组APT场景图，其中包含我们注入的活动，同时将整个警报集减少最多三个数量级。这种减少使得人工分析人员能够有效地对潜在事件进行分类。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Proceedings of the 3rd Workshop on Cyber-Security Arms Race

自引率

0.00%

发文量