CTSCOPY: Hunting Cyber Threats within Enterprise via Provenance Graph-based Analysis

CTSCOPY: Hunting Cyber Threats within Enterprise via Provenance Graph-based Analysis

연구 분야: Safety

학회: 2021 IEEE 21st International Conference on Software Quality, Reliability and Security (QRS)

In recent years, the security community has been working on detecting increasingly sophisticated cyber threats effectively and responding efficiently. A large body of approaches has been proposed and deployed for discovering malicious behaviors within enterprise IT environments. However, combating two main types of attacks, namely outsider Advanced Persistent Threats (APTs) and insider employee's malicious activities, is still a long-lasting confrontation. We propose a novel provenance graph-based approach for detecting these two major threats. First, we collect system event logs of endpoints in the enterprise IT environment and generate whole-system provenance graph and corresponding correlation graph. Then, we extract most uncommon or abnormal causality subgraphs for further graph embedding. Finally, we adopt an anomaly detection model to separate malicious parts from a mass of benign parts in the correlation graph for analysts' decision. We implement a prototype of CTSCOPY. Our evaluation demonstrates that it outperforms state-of-the-art approaches in various attack scenarios.