TDLens:Toward an Empirical Evaluation of Provenance Graph-Based Approach to Cyber Threat Detection  

作　　者：Rui Mei Hanbing Yan Qinqin Wang Zhihui Han Zhuohang Lyu 

机构地区：[1]Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China [2]School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049,China [3]National Computer Network Emergency Response Technical Team/Coordination Center of China(CNCERT/CC),Beijing 100029,China

出　　处：《China Communications》2022年第10期102-115,共14页中国通信（英文版）

基　　金：supported by National Natural Science Foundation of China (No. U1736218);National Key R&D Program of China (No. 2018YFB0804704);partially supported by CNCERT/CC

摘　　要：To combat increasingly sophisticated cyber attacks,the security community has proposed and deployed a large body of threat detection approaches to discover malicious behaviors on host systems and attack payloads in network traffic.Several studies have begun to focus on threat detection methods based on provenance data of host-level event tracing.On the other side,with the significant development of big data and artificial intelligence technologies,large-scale graph computing has been widely used.To this end,kinds of research try to bridge the gap between threat detection based on host log provenance data and graph algorithm,and propose the threat detection algorithm based on system provenance graph.These approaches usually generate the system provenance graph via tagging and tracking of system events,and then leverage the characteristics of the graph to conduct threat detection and attack investigation.For the purpose of deeply understanding the correctness,effectiveness,and efficiency of different graph-based threat detection algorithms,we pay attention to mainstream threat detection methods based on provenance graphs.We select and implement 5 state-of-the-art threat detection approaches among a large number of studies as evaluation objects for further analysis.To this end,we collect about 40GB of host-level raw log data in a real-world IT environment,and simulate 6 types of cyber attack scenarios in an isolated environment for malicious provenance data to build our evaluation datasets.The crosswise comparison and longitudinal assessment interpret in detail these detection approaches can detect which attack scenarios well and why.Our empirical evaluation provides a solid foundation for the improvement direction of the threat detection approach.

关 键 词：cyber threat detection causality dependency graph data provenance 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]