APThreatHunter: An automated planning-based threat hunting framework
Mustafa F. Abdelwahed, Ahmed Shafee, Joan Espasa
TL;DR
APThreatHunter automates cyber threat hypothesis generation by combining logic programming (Answer Set Programming) to infer the system state from monitored data and automated planning to propose potential attack paths. The framework treats threat hunting as a planning problem, generating plans that represent plausible attack continuations which are then translated into indicators for SIEM-based detection. The authors validate the approach on Android devices using real malware samples (KronoDroid), showing that automated planning can produce actionable threat hypotheses for both surveillance and financial fraud. Results indicate substantial plan generation for most samples, highlighting practical feasibility and potential for reducing analyst workload and bias. The work lays groundwork for domain-model acquisition and inductive logic learning to automate ASP rules over time.
Abstract
Cyber attacks threaten economic interests, critical infrastructure, and public health and safety. To counter this, entities adopt cyber threat hunting, a proactive approach that involves formulating hypotheses and searching for attack patterns within organisational networks. Automating cyber threat hunting presents challenges, particularly in generating hypotheses, as it is a manually created and confirmed process, making it time-consuming. To address these challenges, we introduce APThreatHunter, an automated threat hunting solution that generates hypotheses with minimal human intervention, eliminating analyst bias and reducing time and cost. This is done by presenting possible risks based on the system's current state and a set of indicators to indicate whether any of the detected risks are happening or not. We evaluated APThreatHunter using real-world Android malware samples, and the results revealed the practicality of using automated planning for goal hypothesis generation in cyber threat hunting activities.