SPYRAPTOR: A Stream-based Smart Query System for Real-Time Threat Hunting within Enterprise.

In view of the concealment and destructiveness of insider threats, to detect insider threats is very important for protecting the security of enterprises and organizations. Especially for complex insider threat scenarios, current detection methods still have many limitations. Although log-based cyber threat hunting may be an effective solution, non-trivial efforts of manual query construction hinder its use. In this paper, we propose a stream-based smart query system for real-time threat hunting within enterprise (SPYRAPTOR). Built upon system auditing frameworks, SPYRAPTOR constructs a threat behavior graph based on historical anomalous audit data and information on personnel and asset of the enterprise. An Insider Threat Query Language (ITQL) and an ITQL query synthesis mechanism are provided to synthesize the ITQL query strategy of insider threat scenarios based on the threat behavior graph. An efficient query execution system parses ITQL queries and implement real-time hunting of insider threat scenarios on the stream processing engine. We conduct experiments based on the CERT dataset and the results show that SPYRAPTOR achieves an excellent performance (precision of 0.91, recall of 0.89 and low detection latency) and outperforms the state-of-the-art methods.