Cyber-attack and defense is a cat-and-mouse game between adversaries and defenders. In recent years, the game has been becoming more and more complicated and sophisticated due to the emerging of Advanced Persistent Threats (APTs). APT attack is often carried out by many experienced attackers. Numerous efforts have been devoted to develop defending methods against APT. Traditional approaches include signature-based detection and anomaly-based detection. However, such approaches focus on identifying a single breaking point of the malicious activities, which is not only fragile to evasion techniques, but oftentimes suffers from the needle-in-a-haystack problem. In addition, some stealthy malware and attacks may also use benign applications and legitimate system tools to minimize its footprints in the target system.
To address these issues, SIEM (Security Information and Event Management) system was proposed to monitor the events, activities and interactions between different entities in the system. This kind of entities comprises processes, files, pipes, memory objects, and network sockets. The provenance graph can be used to detect and locate the APT attack very efficiently because it records a very comprehensive data flow and control flow in a system. However, investigating the provenance graph is faced with a lot of challenges such as scalability and efficiency. On the other hand, the property and complexity of the graph also make it for research. While provenance graph provides extensive contextual information that allows fine-grained analysis, it also introduces complexity to the detection system. Therefore, it is an active and promising research area and a lot of papers about that have been published in recent years. There are three major classes of threat detection model: tag-propagation model, graph matching-based model and anomaly score-based model.
We are working on reducing the complexity of existing provenance-based APT detection methods so that they are suitable to be deployed in the real-world environment. In addition, we are trying to utilize artificial intelligence and data-mining methods to improve the detection performance. For example, we implemented a back-propagation detection framework so that the provenance-based detection system can learn some crucial parameters.