FineGCP: Fine-grained dependency graph community partitioning for attack investigation

Abstract

With the fierce game between attack and defense technology, network security threats become increasingly covert. Dependency graphs generated from system audit logs are currently critical tools for attack investigating. However, these graphs typically encounter the dependency explosion (edges usually exceeding 100k), making it challenging for security experts to directly analyze the attack behaviors. To reduce analysts’ workload and retain all attack activities in the dependency graph, recent research has proposed community partitioning algorithms on dependency graph. However, they fail to handle the entity involving multiple system tasks, and leave a mixture of entities associated with both attack-related tasks and normal system tasks in the graph, making the analysis of attack investigation difficult.

In this paper, we propose FineGCP, a novel fine-grained dependency graph partitioning method to address the issue of entity involving different tasks. The key idea is to distinguish entities involved in different system tasks, and assign entities performing the same task to the same community. To this end, we first introduce an execution partitioning technique that divides entities in the graph into fine-grained execution units based on their tasks. Second, considering system tasks are usually completed through the collaboration of multiple entities, we developed a graph partitioning technique for performing node embedding and community partitioning on the entities in the fine-grained dependency graphs through leveraging distinct topological structures formed by different tasks. We evaluate the effectiveness of FineGCP using two public datasets. The experimental results demonstrate that FineGCP aggregates attack nodes into an average of 1.34 communities, with 97% of the nodes in these communities being attack-related nodes, effectively aiding in attack investigations.