Threat Intelligence-Driven Dynamic Threat Hunting Method

doi:10.3969/j.issn.1671-1122.2023.06.009

Abstract

Abstract:

In recent years, with the development of automatic extraction technology of open source threat intelligence, threat hunting on Provenance Graph driven by threat intelligence has the advantages of not requiring expert knowledge and providing complete attack scenarios, which is an effective threat detection method. However, existing threat hunting methods still suffer from several limitations. On the one hand, they rely on Indicators of Compromise (IOC) for threat searches, which makes them difficult to effectively detect threats in cases where the attack evades detection; on the other hand, existing methods often neglect the application scenarios of continuous hunting, ignoring the high costs associated with such hunting. To address these issues, this paper proposed a Threat Intelligence-Driven Dynamic Threat Hunting Method (DyHunter), which can perform continuous threat hunting even when threat intelligence is inconsistent with the actual attack due to attack evasion. DyHunter used a composite candidate subgraph selection algorithm to avoid missing attack nodes and attack subgraphs, and employed a multi-layer graph similarity learning method to learn topology and node attribute similarity to improve model robustness. It generated and maintained a suspicious subgraph to reduce the cost of continuous hunting. Experimental results show that, compared with existing methods, DyHunter can effectively ensure high accuracy under the impact of attack evasion, and reduce more than 94.1% of space overhead during the continuous hunting process.

Key words: threat intelligence, provenance graph, threat hunting, graph similarity learning

CLC Number:

TP309

WU Shangyuan, SHEN Guowei, GUO Chun, CHEN Yi. Threat Intelligence-Driven Dynamic Threat Hunting Method[J]. Netinfo Security, 2023, 23(6): 91-103.

Figures/Tables 14

References 24

[1]	LENG Tao, CAI Lijun, YU Aimin, et al. Review of Threat Discovery and Forensic Analysis Based on System Provenance Graph[J]. Journal on Communications, 2022. 43(7): 172-188. doi: 10.11959/j.issn.1000-436x.2022105
	冷涛, 蔡利君, 于爱民, 等. 基于系统溯源图的威胁发现与取证分析综述[J]. 通信学报, 2022, 43(7): 172-188. doi: 10.11959/j.issn.1000-436x.2022105
[2]	ZIPPERLE M, GOTTWALT F, CHANG E, et al. Provenance-Based Intrusion Detection Systems: A Survey[J]. ACM Computing Surveys, 2022, 55(7): 1-36.
[3]	MANZOOR E, MILAJERDI S M, AKOGLU L. Fast Memory-Efficient Anomaly Detection in Streaming Heterogeneous Gphs[C]// ACM. Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York: ACM, 2016: 1035-1044.
[4]	HAN Xueyuan, PASQUIER T, BATES A, et al. UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats[EB/OL]. (2020-01-14)[2023-04-20]. https://doi.org/10.48550/arXiv.2001.01525. doi: https://doi.org/10.48550/arXiv.2001.01525
[5]	WANG Qi, HASSAN W U, LI Ding, et al. You are What You Do: Hunting Stealthy Malware via Data Provenance Analysis[EB/OL]. (2020-01-01)[2023—04-20]. https://www.ndss-symposium.org/wp-content/uploads/2020/02/24167-paper.pdf.
[6]	HAN Xueyuan, YU Xiao, PASQUIER T, et al. SIGL: Securing Software Installations Through Deep Graph Learning[EB/OL]. (2021-06-22)[2023-04-20]. https://doi.org/10.48550/arXiv.2008.11533. doi: https://doi.org/10.48550/arXiv.2008.11533
[7]	XIE Yulai, FENG Dan, HU Yuchong, et al. Pagoda: A Hybrid Approach to Enable Efficient Real-Time Provenance Based Intrusion Eetection in Big Data Environments[J]. IEEE Transactions on Dependable and Secure Computing, 2018, 17(6): 1283-1296. doi: 10.1109/TDSC.8858 URL
[8]	MILAJERDI S M, GJOMEMO R, ESHETE B, et al. HOLMES: Real-Time APT Detection Through Correlation of Suspicious Information Flows[C]// IEEE. 2019 IEEE Symposium on Security and Privacy (SP). New York:IEEE, 2019: 1137-1152.
[9]	HOSSAIN M N, MILAJERDI S M, WANG Junao, et al. SLEUTH: Real-Time Attack Scenario Reconstruction from COTS Audit Data[C]// USENIX Association. 26th USENIX Security Symposium (USENIX Security 17). New York:Red Hook, 2017: 487-504.
[10]	SUN Xiaoyan, DAI Jun, LIU Peng, et al. Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths[J]. IEEE Transactions on Information Forensics and Security, 2018, 13(10): 2506-2521. doi: 10.1109/TIFS.2018.2821095 URL
[11]	HASSAN W U, BATES A, MARINO D. Tactical Provenance Analysis for Endpoint Detection and Response Systems[C]// IEEE. 2020 IEEE Symposium on Security and Privacy (SP). New York:IEEE, 2020: 1172-1189.
[12]	ALSAHEEL A, NAN Yuhong, MA Shiqing, et al. ATLAS: A Sequence-Based Learning Approach for Attack Investigation[C]// USENIX Association. Proceedings of the 30th USENIX Security Symposium. New York: Red Hook, 2021: 3005-3022.
[13]	GOYAL A, HAN Xueyuan, WANG Gang, et al. Sometimes, You Aren’t What You Do: Mimicry Attacks Against Provenance Graph Host Intrusion Detection Systems[EB/OL]. (2023-03-03)[2023-04-20]. https://dx.doi.org/10.14722/ndss.2023.24207. doi: https://dx.doi.org/10.14722/ndss.2023.24207
[14]	GAO Peng, SHAO Fei, LIU Xiaoyuan, et al. Enabling Efficient Cyber Threat Hunting with Cyber Threat Intelligence[C]// IEEE. 2021 IEEE 37th International Conference on Data Engineering (ICDE). New York:IEEE, 2021: 193-204.
[15]	SATVAT K, GJOMEMO R, VENKATAKRISHNAN V N. EXTRACTOR: Extracting Attack Behavior from Threat Reports[C]// IEEE. 2021 IEEE European Symposium on Security and Privacy (EuroS&P). New York:IEEE, 2021: 598-615.
[16]	ZHANG Huixia, SHEN Guowei, GUO Chun, et al. EX-Action: Automatically Extracting Threat Actions from Cyber Threat Intelligence Report Based on Multimodal Learning[J]. Security and Communication Networks, 2021, 1: 1-12. doi: 10.1002/(ISSN)1939-0122 URL
[17]	MILAJERDI S M, ESHETE B, GJOMEMO R, et al. Poirot: Aligning Attack BehAvior with Kernel Audit Records for Cyber Treat Hunting[C]// ACM. Proceedings of the 2019 ACM SIGSAC Conference on Co-mputer and Communications Security. New York: ACM, 2019: 1795-1812.
[18]	WEI Renzheng, CAI Lijun, ZHAO Lixin, et al. Deephunter: A Graph Neural Network Based Approach for Robust Cyber Threat Hunting[C]// Springer. International Conference on Security and Privacy in Communication Systems. Berlin:Springer, 2021: 3-24.
[19]	LIU Chen, LI Bo, ZHAO Jun, et al. MG-DVD: A Real-Time Framework for Malware Variant Detection Based on Dynamic Heterogeneous Graph Larning[EB/OL]. (2021-06-24)[2023-04-20]. https://doi.org/10.48550/arXiv.2106.12288. doi: https://doi.org/10.48550/arXiv.2106.12288
[20]	REIMERS N, GUREVYCH I. Sentence-BERT: Sentence Embeddings Using Siamese BERT-Networks[C]// ACL. Proceedings of the 2019 Conference on Empirical Methods in Natural Language Processing and the 9th International Joint Conference on Natural Language Processing (EMNLP-IJCNLP). Stroudsburg:ACL, 2019: 3982-3992.
[21]	STRNAD A, MESSITER Q, WATSON R, et al. Casual, Adaptive, Distributed, and Efficient Tracing System (cadets)[R]. BAE Systems, 2019.
[22]	BAI Yunsheng, DING Hao, BIAN Song, et al. Simgnn: A Neural Network Approach to Fast Graph Ssimilarity Computation[C]// ACM. Proceedings of the Twelfth ACM International Conference on Web Search and Data Mining. New York: ACM, 2019: 384-392.
[23]	LING Xiang, WU Lingfei, WANG Saizhuo, et al. Multilevel Graph Matching Networks for Deep Graph Similarity Learning[J]. IEEE Transactions on Neural Networks and Learning Systems, 2023, 34(2), 799-813. doi: 10.1109/TNNLS.2021.3102234 URL
[24]	QURESHI R J, RAMEL J Y, CARDOT H. Graph Based Shapes Representation and Recognition[C]// Springer. Graph-Based Representations in Pattern Recognition:6th IAPR-TC-15 International Workshop. Berlin:Springer, 2007: 49-60.

数据集	事件数	实体数	查询图节点数	查询图边数
CADETS1	5603041	218989	12	13
CADETS2	3462327	153413	25	25
CADETS3	9070572	303545	13	13

参数名	参数值
预训练模型	all-MiniLM-L6-v2
节点属性嵌入维度	384
节点标签嵌入维度	3
GCN隐藏层大小	100
学习率	0.1%
BILSTM隐藏层大小	100

不一致指标	CADETS1		CADETS2		CADETS3
不一致指标	NoInf	Inf	NoInf	Inf	NoInf	Inf
nGED	0.16	0.88	0.14	0.86	0.16	0.95
MN	8.3%(1)	8.3%(1)	6.7%(1)	6.7%(1)	8.0%(2)	8.0%(2)
ME	8.3%(1)	8.3%(1)	7.7%(1)	7.7%(1)	16%(4)	16%(4)
INA	0	75%(9)	0	77%(10)	0	68%(17)

方法	CADETS1		CADETS2		CADETS3
方法	NoInf	Inf	NoInf	Inf	NoInf	Inf
MGMN	1	0.9964	0.9376	0.5739	0.9665	0.5712
SimGNN	1	1	1	0.7574	0.9923	0.7223
PGMN-GTEN	1	1	1	0.8256	0.8598	0.6256
PGMN-GAEN	1	0.84	0.9598	0.6296	0.9256	0.5323
PGMN	1	1	1	0.9926	1	0.9841

GCN/BILSTM	CADETS1		CADETS2		CADETS3
GCN/BILSTM	NoInf	Inf	NoInf	Inf	NoInf	Inf
100/100	1	1	1	0.9926	1	0.9841
100/50	1	0.7589	1	0.1881	1	0.5784
100/200	1	1	1	0.9955	1	0.9802
50/50	1	1	1	0.8040	1	0.7345
50/100	1	1	1	0.9303	1	0.9089
200/200	1	1	1	0.8956	1	0.8524
200/100	1	0.9985	0.625	0.9941	0.7640	0.9824