Commander: A robust cross-machine multi-phase Advanced Persistent Threat detector via provenance analytics

Abstract

Intrusion detection systems (IDS) have traditionally focused on identifying malicious behaviors caused by malware undertaking a series of suspicious activities within a short time. Facing Advanced Persistent Threat (APT) actors employing the so-called low-and-slow strategy, defenders are often blindsided by the poor performance of these IDS. Provenance-based IDS (PIDS) emerged as a promising solution for reducing false alerts, detecting true attacks, and facilitating attack investigation, by causally linking and contextualizing indicative system activities in provenance graphs. However, most existing PIDS can detect neither multi-phase nor cross-machine APT attacks, enabled by persistence and lateral movement techniques, respectively. In the present work, we propose a new PIDS called Commander, which is, to our knowledge, the first system capable of detecting cross-machine multi-phase APT attacks. Further, Commander targets several evasion attacks that can bypass existing PIDS, making it more robust. In addition, Commander can perform whole network tracing for cross-machine multi-phase APT attacks across an industrial-sector organization, for which we additionally develop parsers for system logs of popular industrial controllers. We also develop detection rules with a reference to MITRE’s knowledge base for industrial control systems. Our evaluations show that Commander accurately detects attacks, outperforms existing detection systems, and delivers succinct and insightful attack graphs.