Jun Zeng, Zheng Leong Chua, Yinfang Chen, Kaihang Ji, Zhenkai Liang, Jian Mao
{"title":"WATSON: Abstracting Behaviors from Audit Logs via Aggregation of Contextual Semantics","authors":"Jun Zeng, Zheng Leong Chua, Yinfang Chen, Kaihang Ji, Zhenkai Liang, Jian Mao","doi":"10.14722/NDSS.2021.24549","DOIUrl":null,"url":null,"abstract":"—Endpoint monitoring solutions are widely deployed in today’s enterprise environments to support advanced attack detection and investigation. These monitors continuously record system-level activities as audit logs and provide deep visibility into security incidents. Unfortunately, to recognize behaviors of interest and detect potential threats, cyber analysts face a semantic gap between low-level audit events and high-level system behaviors. To bridge this gap, existing work largely matches streams of audit logs against a knowledge base of rules that describe behaviors. However, specifying such rules heavily relies on expert knowledge. In this paper, we present W ATSON , an automated approach to abstracting behaviors by inferring and aggregating the semantics of audit events. W ATSON uncovers the semantics of events through their usage context in audit logs. By extracting behaviors as connected system operations, W ATSON then combines event semantics as the representation of behaviors. To reduce analysis workload, W ATSON further clusters semanti- cally similar behaviors and distinguishes the representatives for analyst investigation. In our evaluation against both benign and malicious behaviors, W ATSON exhibits high accuracy for behavior abstraction. Moreover, W ATSON can reduce analysis workload by two orders of magnitude for attack investigation.","PeriodicalId":364091,"journal":{"name":"Proceedings 2021 Network and Distributed System Security Symposium","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"34","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings 2021 Network and Distributed System Security Symposium","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.14722/NDSS.2021.24549","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 34
Abstract
—Endpoint monitoring solutions are widely deployed in today’s enterprise environments to support advanced attack detection and investigation. These monitors continuously record system-level activities as audit logs and provide deep visibility into security incidents. Unfortunately, to recognize behaviors of interest and detect potential threats, cyber analysts face a semantic gap between low-level audit events and high-level system behaviors. To bridge this gap, existing work largely matches streams of audit logs against a knowledge base of rules that describe behaviors. However, specifying such rules heavily relies on expert knowledge. In this paper, we present W ATSON , an automated approach to abstracting behaviors by inferring and aggregating the semantics of audit events. W ATSON uncovers the semantics of events through their usage context in audit logs. By extracting behaviors as connected system operations, W ATSON then combines event semantics as the representation of behaviors. To reduce analysis workload, W ATSON further clusters semanti- cally similar behaviors and distinguishes the representatives for analyst investigation. In our evaluation against both benign and malicious behaviors, W ATSON exhibits high accuracy for behavior abstraction. Moreover, W ATSON can reduce analysis workload by two orders of magnitude for attack investigation.