Combating Advanced Persistent Threats: Challenges and Solutions

Main Topic

Efficient and robust APT defense scheme leveraging provenance graphs, including a network-level distributed audit model for cost-effective lateral attack reconstruction, a trust-oriented APT evasion behavior detection strategy, and a hidden Markov model based adversarial subgraph defense approach

Strong characteristic

real-time capturing and analysis of intricate system interactions, encompassing network communications, process interactions, and file operations

System behavior

• Traceability
• Real-Time Visibility
• Covert Behavior Detection
• Attack Reconstruction
• Reconstruction of Lateral Attack Chains
• Identification of APT Evasion Behaviors
• Adversarial Subgraph Detection

3 approach
1) network-level distributed provenance graph audit
model for cost-effective lateral attack chain reconstruction
2) trust-oriented dynamic APT evasion behavior detection strategy
3) hidden Markov model (HMM)-based adversarial sub-graph detection strategy for enhanced robustness of APT defense services

Challenges of Provenance Graph-Based APT Audit

1) The characteristic of APT is derived from the multiple hosts. The solely host derived graph does not match. (Wrong of Imperative approach)
2) large number of source in graph introduces the problem of stealthy evasion techniques
3) Diverse and dynamical attack 으로 인한 adversarial sub-graph로 defense 하는 system의 부족

Solution

Network-Layer Distributed Provenance Graph Audit

1) CPA-Based Graph Data Compression

• Forward ingress aggregation condition
• Backward egress aggregation condition
• Biegress aggregation condition

2) LDA-Based Weighted Graph Aggregation

• LDA Model
  • multi-dimensional data를 여러 그룹의 클래스를 잘 나눌수있는 직선으로 분리 (투영)
  • 이런 방법으로 데이터를 분리함으로, 벡터의 최대 투영값 & 엣지의 중요도 (새로운 데이터 값이나 classfication에서 유리)

3) Lateral Attack Chain Construction via Weighted Provenance Graphs

• Backward provenance
  • Highest ranking of Pol alert event
• Forward Tracking
  • Start from the Pol alert event
  • With the Pol alert event , halt IF propagation
  • Condition 1) & 2) & 3) show the final entity of exceeding the limit and bigress aggregation condition of socket are differnt in final entity.

Trust-Oriented Dynamic APT Evasion Behavior Detection

1) Optimized Attack-Related Substructures of Provenance Graph

• construction of provenance entity links (Related to the originial )
• Reduce the impact of useless factor in entity graph , optimization of structure.

2) Dynamic APT Evasion Behavior Analysis based on Trust Evaluation

• Sequence 3 parts

  • subsequences of continuously trustworthy operations
  • continuously untrustworthy operations
  • continuously uncertain operations

• The recommendation and rewarding and punishing effects of sequence enhance the accruacy of trust evaluation.

HMM-Based Adversarial Sub-Provenance Graph Defense

1) Fast Adversarial Subgraphs Modeling

• train a general test artificial intelligence (AI) model
  for discriminating adversarial subgraphs, by optimizing the loss function

• Proof-of-concept framework design for adversarial subgraphs

• Adversarial subgraphs construction

2) Robust Adversarial Subgraphs Detection Based on HMM