TREC: APT Tactic / Technique Recognition via Few-Shot Provenance Subgraph Learning
arxiv(2024)
摘要
APT (Advanced Persistent Threat) with the characteristics of persistence,
stealth, and diversity is one of the greatest threats against
cyber-infrastructure. As a countermeasure, existing studies leverage provenance
graphs to capture the complex relations between system entities in a host for
effective APT detection. In addition to detecting single attack events as most
existing work does, understanding the tactics / techniques (e.g., Kill-Chain,
ATT CK) applied to organize and accomplish the APT attack campaign is more
important for security operations. Existing studies try to manually design a
set of rules to map low-level system events to high-level APT tactics /
techniques. However, the rule based methods are coarse-grained and lack
generalization ability, thus they can only recognize APT tactics and cannot
identify fine-grained APT techniques and mutant APT attacks. In this paper, we
propose TREC, the first attempt to recognize APT tactics / techniques from
provenance graphs by exploiting deep learning techniques. To address the
"needle in a haystack" problem, TREC segments small and compact subgraphs
covering individual APT technique instances from a large provenance graph based
on a malicious node detection model and a subgraph sampling algorithm. To
address the "training sample scarcity" problem, TREC trains the APT tactic /
technique recognition model in a few-shot learning manner by adopting a Siamese
neural network. We evaluate TREC based on a customized dataset collected and
made public by our team. The experiment results show that TREC significantly
outperforms state-of-the-art systems in APT tactic recognition and TREC can
also effectively identify APT techniques.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要