A flexible approach for cyber threat hunting based on kernel audit records  

在线阅读下载全文

作  者:Fengyu Yang Yanni Han Ying Ding Qian Tan Zhen Xu 

机构地区:[1]Institute of Information Engineering,Chinese Academy of Sciences,Beijing,China [2]School of Cyber Security,University of Chinese Academy of Sciences,Beijing,China

出  处:《Cybersecurity》2022年第3期74-89,共16页网络空间安全科学与技术(英文)

基  金:This work is supported in part by the Industrial Internet Innovation and Development Project“Industrial robot external safety enhancement device”(TC200H030);the Cooperation project between Chongqing Municipal undergraduate universities and institutes affiliated to CAS(HZ2021015).

摘  要:Hunting the advanced threats hidden in the enterprise networks has always been a complex and difficult task.Due to the variety of attacking means,it is difficult for traditional security systems to detect threats.Most existing methods analyze log records,but the amount of log records generated every day is very large.How to find the information related to the attack events quickly and effectively from massive data streams is an important problem.Considering that the knowledge graph can be used for automatic relation calculation and complex relation analysis,and can get relatively fast feedback,our work proposes to construct the knowledge graph based on kernel audit records,which fully considers the global correlation among entities observed in audit logs.We design the construction and application process of knowledge graph,which can be applied to actual threat hunting activities.Then we explore different ways to use the constructed knowledge graph for hunting actual threats in detail.Finally,we implement a LAN-wide hunting system which is convenient and flexible for security analysts.Evaluations based on the adversarial engagement designed by DARPA prove that our platform can effectively hunt sophisticated threats,quickly restore the attack path or assess the impact of attack.

关 键 词:Advanced persistent threat Cyber threat hunting Kernel audit log Knowledge graph 

分 类 号:O15[理学—数学]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象