PARGMF: A provenance-enabled automated rule generation and matching framework with multi-level attack description model

With the rapidly increasing volume of cyber-attacks over the past years due to the new working-from-home paradigm, protecting hosts, networks, and individuals from cyber threats is in higher demand than ever. One promising solution are Provenance-based Intrusion Detection Systems (PIDS), which correlate host-based security logs to generate provenance graphs that describe the causal relationship between system entities. PIDS have shown significant potential in enhancing detection performance and reducing false alarms compared to traditional Intrusion Detection Systems (IDS). Rule-based approaches used in PIDS utilize expert-defined rule sets to identify known malicious patterns in provenance graphs. Although these rule-based techniques have been widely applied, they can only detect known attack patterns, are heavily dependent on the quality of the rules, and creating rules manually is time-consuming. To address these shortcomings, this study proposed two novel techniques: the Multi-level Attack Description Model (MADM) for describing attack patterns at multiple granularity levels and the Provenance-enabled Automated Rule Generation and Matching Framework (PARGMF) to generate rules deterministically and promptly. We evaluated the proposed approaches using the DARPA OpTC dataset, complemented by a practical case study. This case study involved a prototype extension for the CAPEv2 sandbox environment, demonstrating the real-world applicability of our approaches. Our results demonstrate, firstly, that PARGMF generates rules deterministically with an average processing time of only 13.11 s compared to multiple hours or even days for manual rule creation by security experts. Secondly, through generalization of attack descriptions, MADM enhanced the robustness of rules by 21.9% for Behavioural Attack Description (BAD) and 25% for Structural Attack Description (SAD) compared to approaches without generalization. Another added benefit compared to existing approaches is that PARGMF also generates differential graphs to support security experts' timely validation of security alarms.