A multi-source log semantic analysis-based attack investigation approach

Abstract

As Advanced Persistent Threats (APT) become increasingly complex and destructive, security analysts often use log data for performing attack investigation. Existing approaches based on single-source logs fail to capture the causal dependencies between complex attack behaviors. We propose a novel attack investigation approach based on the semantic analysis of multi-source logs. This approach constructs a provenance graph that integrates both application and operating system logs, which can reduce the false positive rate in the attack investigation. Given the substantial size of the graph generated from multi-source logs, we reduce its complexity by merging repeated log events, deleting unreachable nodes, and removing temporary file nodes. To resolve the issue of lacking explicit objectives in current attack investigation approaches, we introduce a new multi-stage investigation approach that enhances the speed of attack investigation. This approach divides an intrusion process into seven distinct attack stages and use a graph pattern matching algorithm to match attack subgraphs belonging to specific attack stages with the provenance graph. This results in an intrusion process composed of attack subgraphs representing individual stages. Experimental results demonstrate that our attack investigation approach increases precision by 15.1% and recall by 12.2%. In terms of time efficiency, our approach reduces investigation time by over 60%, with a minimal decrease of less than 2% in the F1 score.