Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Combating Advanced Persistent Threats: Challenges and Solutions

Yuntao Wang, Han Liu, Zhendong Li, Zhou Su, Jiliang Li

TL;DR

This paper addresses the challenge of detecting and mitigating advanced persistent threats (APTs) in complex networks by leveraging provenance graphs for kernel-level auditing. It proposes a network-level distributed provenance-audit architecture with three components: CPA-based data compression for scalable graph收, LDA-weighted edge graphs to trace attack steps, and HMM-based adversarial-subgraph defense to counter evasion. A trust-oriented dynamic evasion-detection mechanism enhances resilience against stealthy behaviors, while an HMM-based detector strengthens robustness against adversarial subgraphs. A prototype on 15 servers with CamFlow and Neo4j demonstrates rapid lateral-movement reconstruction (under 3 minutes), improved trust analysis, and higher recall under adversarial conditions, illustrating practical potential and guiding future directions in cloud-edge and cross-domain deployments.

Abstract

The rise of advanced persistent threats (APTs) has marked a significant cybersecurity challenge, characterized by sophisticated orchestration, stealthy execution, extended persistence, and targeting valuable assets across diverse sectors. Provenance graph-based kernel-level auditing has emerged as a promising approach to enhance visibility and traceability within intricate network environments. However, it still faces challenges including reconstructing complex lateral attack chains, detecting dynamic evasion behaviors, and defending smart adversarial subgraphs. To bridge the research gap, this paper proposes an efficient and robust APT defense scheme leveraging provenance graphs, including a network-level distributed audit model for cost-effective lateral attack reconstruction, a trust-oriented APT evasion behavior detection strategy, and a hidden Markov model based adversarial subgraph defense approach. Through prototype implementation and extensive experiments, we validate the effectiveness of our system. Lastly, crucial open research directions are outlined in this emerging field.

Combating Advanced Persistent Threats: Challenges and Solutions

TL;DR

This paper addresses the challenge of detecting and mitigating advanced persistent threats (APTs) in complex networks by leveraging provenance graphs for kernel-level auditing. It proposes a network-level distributed provenance-audit architecture with three components: CPA-based data compression for scalable graph收, LDA-weighted edge graphs to trace attack steps, and HMM-based adversarial-subgraph defense to counter evasion. A trust-oriented dynamic evasion-detection mechanism enhances resilience against stealthy behaviors, while an HMM-based detector strengthens robustness against adversarial subgraphs. A prototype on 15 servers with CamFlow and Neo4j demonstrates rapid lateral-movement reconstruction (under 3 minutes), improved trust analysis, and higher recall under adversarial conditions, illustrating practical potential and guiding future directions in cloud-edge and cross-domain deployments.

Abstract

The rise of advanced persistent threats (APTs) has marked a significant cybersecurity challenge, characterized by sophisticated orchestration, stealthy execution, extended persistence, and targeting valuable assets across diverse sectors. Provenance graph-based kernel-level auditing has emerged as a promising approach to enhance visibility and traceability within intricate network environments. However, it still faces challenges including reconstructing complex lateral attack chains, detecting dynamic evasion behaviors, and defending smart adversarial subgraphs. To bridge the research gap, this paper proposes an efficient and robust APT defense scheme leveraging provenance graphs, including a network-level distributed audit model for cost-effective lateral attack reconstruction, a trust-oriented APT evasion behavior detection strategy, and a hidden Markov model based adversarial subgraph defense approach. Through prototype implementation and extensive experiments, we validate the effectiveness of our system. Lastly, crucial open research directions are outlined in this emerging field.
Paper Structure (18 sections, 5 figures, 1 table)

This paper contains 18 sections, 5 figures, 1 table.

Table of Contents

  1. Introduction
  2. Working Principle and Challenges of Provenance Graph-Based APT Audit
  3. Overview of Provenance Graph-Based APT Audit
  4. State-of-the-Arts
  5. Challenges of Provenance Graph-Based APT Audit
  6. Solutions to Provenance Graph-Based APT Audit
  7. Network-Layer Distributed Provenance Graph Audit
  8. Trust-Oriented Dynamic APT Evasion Behavior Detection
  9. HMM-Based Adversarial Sub-provenance Graph Defense
  10. Implementation and Evaluation
  11. Experimental Setup
  12. Experimental Results
  13. Future Directions
  14. Fusing Provenance Graphs and Knowledge Graphs for APT Detection
  15. Tamper-Resistant Provenance Graph Storage
  16. ...and 3 more sections

Figures (5)

  • Figure 1: An Overview of Provenance Graph-Based APT Audit Approach.
  • Figure 2: An Illustration of Network-Layer Distributed Provenance Graph Audit for Lateral Attack Chain Reconstruction.
  • Figure 3: An Illustration of Trust-Oriented Dynamic APT Evasion Behavior Detection.
  • Figure 4: An Illustration of HMM-Based Adversarial Subgraphs Defense.
  • Figure 5: a) Number of compromised nodes vs. N-hop lateral movement under 10 modes of attack paths. b) Trust value vs. number of interactions, compared with probabilistic trust model 17. c) Successful detection rate w/wo adversarial attacks, compared with StreamSpot 18, Unicon 7, mimicry-StreamSpot, and mimicry-Unicon. Note: As StreamSpot and Unicon are designed for the settings without adversarial attacks, to be fair and objective, we implement them under adversarial settings and call their modified versions as mimicry-StreamSpot and mimicry-Unicon, respectively.