威胁情报驱动的动态威胁狩猎方法

doi:10.3969/j.issn.1671-1122.2023.06.009

摘要/Abstract

摘要：

近年来，随着开源威胁情报自动化提取技术的发展，在威胁情报驱动下对溯源图（Provenance Graph）进行威胁狩猎有着无需专家知识且能提供完整攻击场景的优势，是一种有效的威胁检测手段。然而，现有的威胁狩猎方法仍存在以下不足：一方面，现有方法依赖威胁指标（Indicators of Compromise，IOC）进行威胁搜索，难以在攻击逃避检测的情况下对威胁进行有效检测；另一方面，现有方法鲜有考虑持续狩猎的应用场景，忽视了持续狩猎导致的高开销。为解决以上问题，文章提出一种威胁情报驱动的动态威胁狩猎方法（Threat Intelligence-Driven Dynamic Threat Hunting Method，DyHunter），可以在攻击逃避检测导致威胁情报与真实攻击不一致的情况下进行持续的威胁狩猎。DyHunter使用复合的候选子图选择算法避免攻击节点与攻击子图被遗漏，使用一种多层图相似性学习方法分别对拓扑结构相似性与节点属性相似性进行学习以提高模型鲁棒性，生成并维护一个可疑子图以减少持续狩猎的开销。实验结果表明，与已有方法相比，DyHunter可以有效保证在攻击逃避检测的情况下的高准确性，并在持续狩猎过程中减少94.1%以上的空间开销。

关键词: 威胁情报, 溯源图, 威胁狩猎, 图相似性学习

Abstract:

In recent years, with the development of automatic extraction technology of open source threat intelligence, threat hunting on Provenance Graph driven by threat intelligence has the advantages of not requiring expert knowledge and providing complete attack scenarios, which is an effective threat detection method. However, existing threat hunting methods still suffer from several limitations. On the one hand, they rely on Indicators of Compromise (IOC) for threat searches, which makes them difficult to effectively detect threats in cases where the attack evades detection; on the other hand, existing methods often neglect the application scenarios of continuous hunting, ignoring the high costs associated with such hunting. To address these issues, this paper proposed a Threat Intelligence-Driven Dynamic Threat Hunting Method (DyHunter), which can perform continuous threat hunting even when threat intelligence is inconsistent with the actual attack due to attack evasion. DyHunter used a composite candidate subgraph selection algorithm to avoid missing attack nodes and attack subgraphs, and employed a multi-layer graph similarity learning method to learn topology and node attribute similarity to improve model robustness. It generated and maintained a suspicious subgraph to reduce the cost of continuous hunting. Experimental results show that, compared with existing methods, DyHunter can effectively ensure high accuracy under the impact of attack evasion, and reduce more than 94.1% of space overhead during the continuous hunting process.

Key words: threat intelligence, provenance graph, threat hunting, graph similarity learning

中图分类号:

TP309

吴尚远, 申国伟, 郭春, 陈意. 威胁情报驱动的动态威胁狩猎方法[J]. 信息网络安全, 2023, 23(6): 91-103.

WU Shangyuan, SHEN Guowei, GUO Chun, CHEN Yi. Threat Intelligence-Driven Dynamic Threat Hunting Method[J]. Netinfo Security, 2023, 23(6): 91-103.

图/表 14

图1

图2

图3

表1

表2

表3

表4

表5

图4

图5

表6

表7

图6

表8

参考文献 24

[1]	LENG Tao, CAI Lijun, YU Aimin, et al. Review of Threat Discovery and Forensic Analysis Based on System Provenance Graph[J]. Journal on Communications, 2022. 43(7): 172-188. doi: 10.11959/j.issn.1000-436x.2022105
	冷涛, 蔡利君, 于爱民, 等. 基于系统溯源图的威胁发现与取证分析综述[J]. 通信学报, 2022, 43(7): 172-188. doi: 10.11959/j.issn.1000-436x.2022105
[2]	ZIPPERLE M, GOTTWALT F, CHANG E, et al. Provenance-Based Intrusion Detection Systems: A Survey[J]. ACM Computing Surveys, 2022, 55(7): 1-36.
[3]	MANZOOR E, MILAJERDI S M, AKOGLU L. Fast Memory-Efficient Anomaly Detection in Streaming Heterogeneous Gphs[C]// ACM. Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York: ACM, 2016: 1035-1044.
[4]	HAN Xueyuan, PASQUIER T, BATES A, et al. UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats[EB/OL]. (2020-01-14)[2023-04-20]. https://doi.org/10.48550/arXiv.2001.01525. doi: https://doi.org/10.48550/arXiv.2001.01525
[5]	WANG Qi, HASSAN W U, LI Ding, et al. You are What You Do: Hunting Stealthy Malware via Data Provenance Analysis[EB/OL]. (2020-01-01)[2023—04-20]. https://www.ndss-symposium.org/wp-content/uploads/2020/02/24167-paper.pdf.
[6]	HAN Xueyuan, YU Xiao, PASQUIER T, et al. SIGL: Securing Software Installations Through Deep Graph Learning[EB/OL]. (2021-06-22)[2023-04-20]. https://doi.org/10.48550/arXiv.2008.11533. doi: https://doi.org/10.48550/arXiv.2008.11533
[7]	XIE Yulai, FENG Dan, HU Yuchong, et al. Pagoda: A Hybrid Approach to Enable Efficient Real-Time Provenance Based Intrusion Eetection in Big Data Environments[J]. IEEE Transactions on Dependable and Secure Computing, 2018, 17(6): 1283-1296. doi: 10.1109/TDSC.8858 URL
[8]	MILAJERDI S M, GJOMEMO R, ESHETE B, et al. HOLMES: Real-Time APT Detection Through Correlation of Suspicious Information Flows[C]// IEEE. 2019 IEEE Symposium on Security and Privacy (SP). New York:IEEE, 2019: 1137-1152.
[9]	HOSSAIN M N, MILAJERDI S M, WANG Junao, et al. SLEUTH: Real-Time Attack Scenario Reconstruction from COTS Audit Data[C]// USENIX Association. 26th USENIX Security Symposium (USENIX Security 17). New York:Red Hook, 2017: 487-504.
[10]	SUN Xiaoyan, DAI Jun, LIU Peng, et al. Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths[J]. IEEE Transactions on Information Forensics and Security, 2018, 13(10): 2506-2521. doi: 10.1109/TIFS.2018.2821095 URL
[11]	HASSAN W U, BATES A, MARINO D. Tactical Provenance Analysis for Endpoint Detection and Response Systems[C]// IEEE. 2020 IEEE Symposium on Security and Privacy (SP). New York:IEEE, 2020: 1172-1189.
[12]	ALSAHEEL A, NAN Yuhong, MA Shiqing, et al. ATLAS: A Sequence-Based Learning Approach for Attack Investigation[C]// USENIX Association. Proceedings of the 30th USENIX Security Symposium. New York: Red Hook, 2021: 3005-3022.
[13]	GOYAL A, HAN Xueyuan, WANG Gang, et al. Sometimes, You Aren’t What You Do: Mimicry Attacks Against Provenance Graph Host Intrusion Detection Systems[EB/OL]. (2023-03-03)[2023-04-20]. https://dx.doi.org/10.14722/ndss.2023.24207. doi: https://dx.doi.org/10.14722/ndss.2023.24207
[14]	GAO Peng, SHAO Fei, LIU Xiaoyuan, et al. Enabling Efficient Cyber Threat Hunting with Cyber Threat Intelligence[C]// IEEE. 2021 IEEE 37th International Conference on Data Engineering (ICDE). New York:IEEE, 2021: 193-204.
[15]	SATVAT K, GJOMEMO R, VENKATAKRISHNAN V N. EXTRACTOR: Extracting Attack Behavior from Threat Reports[C]// IEEE. 2021 IEEE European Symposium on Security and Privacy (EuroS&P). New York:IEEE, 2021: 598-615.
[16]	ZHANG Huixia, SHEN Guowei, GUO Chun, et al. EX-Action: Automatically Extracting Threat Actions from Cyber Threat Intelligence Report Based on Multimodal Learning[J]. Security and Communication Networks, 2021, 1: 1-12. doi: 10.1002/(ISSN)1939-0122 URL
[17]	MILAJERDI S M, ESHETE B, GJOMEMO R, et al. Poirot: Aligning Attack BehAvior with Kernel Audit Records for Cyber Treat Hunting[C]// ACM. Proceedings of the 2019 ACM SIGSAC Conference on Co-mputer and Communications Security. New York: ACM, 2019: 1795-1812.
[18]	WEI Renzheng, CAI Lijun, ZHAO Lixin, et al. Deephunter: A Graph Neural Network Based Approach for Robust Cyber Threat Hunting[C]// Springer. International Conference on Security and Privacy in Communication Systems. Berlin:Springer, 2021: 3-24.
[19]	LIU Chen, LI Bo, ZHAO Jun, et al. MG-DVD: A Real-Time Framework for Malware Variant Detection Based on Dynamic Heterogeneous Graph Larning[EB/OL]. (2021-06-24)[2023-04-20]. https://doi.org/10.48550/arXiv.2106.12288. doi: https://doi.org/10.48550/arXiv.2106.12288
[20]	REIMERS N, GUREVYCH I. Sentence-BERT: Sentence Embeddings Using Siamese BERT-Networks[C]// ACL. Proceedings of the 2019 Conference on Empirical Methods in Natural Language Processing and the 9th International Joint Conference on Natural Language Processing (EMNLP-IJCNLP). Stroudsburg:ACL, 2019: 3982-3992.
[21]	STRNAD A, MESSITER Q, WATSON R, et al. Casual, Adaptive, Distributed, and Efficient Tracing System (cadets)[R]. BAE Systems, 2019.
[22]	BAI Yunsheng, DING Hao, BIAN Song, et al. Simgnn: A Neural Network Approach to Fast Graph Ssimilarity Computation[C]// ACM. Proceedings of the Twelfth ACM International Conference on Web Search and Data Mining. New York: ACM, 2019: 384-392.
[23]	LING Xiang, WU Lingfei, WANG Saizhuo, et al. Multilevel Graph Matching Networks for Deep Graph Similarity Learning[J]. IEEE Transactions on Neural Networks and Learning Systems, 2023, 34(2), 799-813. doi: 10.1109/TNNLS.2021.3102234 URL
[24]	QURESHI R J, RAMEL J Y, CARDOT H. Graph Based Shapes Representation and Recognition[C]// Springer. Graph-Based Representations in Pattern Recognition:6th IAPR-TC-15 International Workshop. Berlin:Springer, 2007: 49-60.

数据集	事件数	实体数	查询图节点数	查询图边数
CADETS1	5603041	218989	12	13
CADETS2	3462327	153413	25	25
CADETS3	9070572	303545	13	13

参数名	参数值
预训练模型	all-MiniLM-L6-v2
节点属性嵌入维度	384
节点标签嵌入维度	3
GCN隐藏层大小	100
学习率	0.1%
BILSTM隐藏层大小	100

不一致指标	CADETS1		CADETS2		CADETS3
不一致指标	NoInf	Inf	NoInf	Inf	NoInf	Inf
nGED	0.16	0.88	0.14	0.86	0.16	0.95
MN	8.3%(1)	8.3%(1)	6.7%(1)	6.7%(1)	8.0%(2)	8.0%(2)
ME	8.3%(1)	8.3%(1)	7.7%(1)	7.7%(1)	16%(4)	16%(4)
INA	0	75%(9)	0	77%(10)	0	68%(17)

方法	CADETS1		CADETS2		CADETS3
方法	NoInf	Inf	NoInf	Inf	NoInf	Inf
MGMN	1	0.9964	0.9376	0.5739	0.9665	0.5712
SimGNN	1	1	1	0.7574	0.9923	0.7223
PGMN-GTEN	1	1	1	0.8256	0.8598	0.6256
PGMN-GAEN	1	0.84	0.9598	0.6296	0.9256	0.5323
PGMN	1	1	1	0.9926	1	0.9841

GCN/BILSTM	CADETS1		CADETS2		CADETS3
GCN/BILSTM	NoInf	Inf	NoInf	Inf	NoInf	Inf
100/100	1	1	1	0.9926	1	0.9841
100/50	1	0.7589	1	0.1881	1	0.5784
100/200	1	1	1	0.9955	1	0.9802
50/50	1	1	1	0.8040	1	0.7345
50/100	1	1	1	0.9303	1	0.9089
200/200	1	1	1	0.8956	1	0.8524
200/100	1	0.9985	0.625	0.9941	0.7640	0.9824