Nip in the Bud: Forecasting and Interpreting Post-exploitation Attacks in Real-time through Cyber Threat Intelligence Reports

TL;DR

EFI tackles the persistent problem of high false positives in endpoint detection by forecasting and interpreting post-exploitation attacker moves in real time using CTI-derived attack scene graphs. It builds four graph types—ASG from CTI, APG from EDR, AFG from a serialized graph forecast, and ATG for interpretation—then uses a graph alignment plus algorithm to provide technique-level explanations and dispatch proactive reinforcement to EDR. Evaluations on DARPA Engagement and CTI datasets show AFG generation within 5 seconds, interpretation within 5 minutes, alignment scores exceeding 0.8, and forecast/interpretation precision of 91.8%, illustrating strong potential to reduce MTTR without disrupting normal operations. Overall, EFI represents a significant step toward proactive, interpretable, and CTI-informed endpoint defense in real-world environments.

Abstract

Advanced Persistent Threat (APT) attacks have caused significant damage worldwide. Various Endpoint Detection and Response (EDR) systems are deployed by enterprises to fight against potential threats. However, EDR suffers from high false positives. In order not to affect normal operations, analysts need to investigate and filter detection results before taking countermeasures, in which heavy manual labor and alarm fatigue cause analysts miss optimal response time, thereby leading to information leakage and destruction. Therefore, we propose Endpoint Forecasting and Interpreting (EFI), a real-time attack forecast and interpretation system, which can automatically predict next move during post-exploitation and explain it in technique-level, then dispatch strategies to EDR for advance reinforcement. First, we use Cyber Threat Intelligence (CTI) reports to extract the attack scene graph (ASG) that can be mapped to low-level system logs to strengthen attack samples. Second, we build a serialized graph forecast model, which is combined with the attack provenance graph (APG) provided by EDR to generate an attack forecast graph (AFG) to predict the next move. Finally, we utilize the attack template graph (ATG) and graph alignment plus algorithm for technique-level interpretation to automatically dispatch strategies for EDR to reinforce system in advance. EFI can avoid the impact of existing EDR false positives, and can reduce the attack surface of system without affecting the normal operations. We collect a total of 3,484 CTI reports, generate 1,429 ASGs, label 8,000 sentences, tag 10,451 entities, and construct 256 ATGs. Experimental results on both DARPA Engagement and large scale CTI dataset show that the alignment score between the AFG predicted by EFI and the real attack graph is able to exceed 0.8, the forecast and interpretation precision of EFI can reach 91.8%.

Figures (9)

• Figure 1: The architecture of EFI. EFI extracts ASGs from open source CTI reports and trains the graph forecast model. The APG provided by EDR is then fed into the model to predict the AFG, which is then interpreted using the graph alignment plus algorithm and ATGs. Finally, the interpretation results are used to dispatch strategies to EDR for advance reinforcement.
• Figure 2: Graph Forecast Model Architecture. The current forecast results can be used as input for the next round of prediction for serialized graph generation.
• Figure 3: An example of Multi-Hop Equivalent Semantics.
• Figure 4: Change in graph alignment score with graph structure modification. The positive/negative number of the horizontal axis indicates an addition/deletion.
• Figure 5: EFI, AttackG and EXTRACTOR are compared with the extracted ASG using sample TC_Information gather and exfiltration as input, where sub-graph A is our manually extracted Ground Truth. In the figure, red P indicates process, blue F indicates file, and green S indicates socket.