| Authors | Zehui Wang, Yunxiang Wang, Wenhao Yan, Yinhao Qi, Tian Tian, Bo Jiang, Zhigang Lu |
|---|---|
| Institution | Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences |
# Abstract
Advanced Persistent Threats (APTs) are exceptionally challenging to detect due to their high stealthiness. Audit logs, which provide detailed process-level information and record all activities before and after an APT attack, are crucial for detecting such threats. However, the sheer volume of data in audit logs also poses a significant challenge. Current methods suffer from the following issues: 1) difficulty in extracting information from the complex contextual relationships within audit logs, 2) reliance on prior knowledge for detecting APT attacks, and 3) coarse-grained detection signals.
In this paper, we introduce Autumn, an APT detection method focused on processes as the primary research object. Autumn is an unsupervised learning model that does not rely on prior knowledge, making it more suitable for real-world APT detection scenarios. Autumn can swiftly identify critical information from vast audit logs and provides fine-grained detection signals by focusing on processes. We begin by constructing a graph from audit logs, segmenting it into subgraphs based on time, and applying strategies to reduce data volume. We then learn the characteristics of processes. By converting process information into input vectors using word2vec and calculating the reconstruction error for each subgraph through the encoding and decoding process of a transformer autoencoder, we train the model by associating the processes’ IDF scores. Finally, we train the model on benign data and test it on a separate set of subgraphs containing attack events. Compared to other unsupervised learning methods, Autumn shows significant improvement in detection performance.
# Download
# Citation
|
|