A Rule Mining-Based Advanced Persistent Threats Detection System

A Rule Mining-Based Advanced Persistent Threats Detection System

Advanced persistent threats (APT) are stealthy cyber-attacks that are aimed at stealing valuable information from target organizations and tend to extend in time. Blocking all APTs is impossible, security experts caution, hence the importance of research on early detection and damage limitation. Who...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:arXiv.org 2021-05
Hauptverfasser: Sidahmed Benabderrahmane, Berrada, Ghita, Cheney, James, Valtchev, Petko
Format: Artikel
Sprache:eng
Schlagworte:
Anomalies
Cybersecurity
Damage detection
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page
container_issue
container_start_page
container_title arXiv.org
container_volume
creator Sidahmed Benabderrahmane
Berrada, Ghita
Cheney, James
Valtchev, Petko
description Advanced persistent threats (APT) are stealthy cyber-attacks that are aimed at stealing valuable information from target organizations and tend to extend in time. Blocking all APTs is impossible, security experts caution, hence the importance of research on early detection and damage limitation. Whole-system provenance-tracking and provenance trace mining are considered promising as they can help find causal relationships between activities and flag suspicious event sequences as they occur. We introduce an unsupervised method that exploits OS-independent features reflecting process activity to detect realistic APT-like attacks from provenance traces. Anomalous processes are ranked using both frequent and rare event associations learned from traces. Results are then presented as implications which, since interpretable, help leverage causality in explaining the detected anomalies. When evaluated on Transparent Computing program datasets (DARPA), our method outperformed competing approaches.
format Article
fullrecord <record><control><sourceid>proquest</sourceid><recordid>TN_cdi_proquest_journals_2531423357</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2531423357</sourcerecordid><originalsourceid>FETCH-proquest_journals_25314233573</originalsourceid><addsrcrecordid>eNpjYuA0MjY21LUwMTLiYOAtLs4yMDAwMjM3MjU15mRwcFQIKs1JVfDNzMvMS9d1SixOTVFwTClLzEsGMgJSi4ozi0tS80oUQjKKUhNLihVcUktSk0sy8_MUgiuBMrk8DKxpiTnFqbxQmptB2c01xNlDt6Aov7A0tbgkPiu_tCgPKBVvZGpsaAJ0i6m5MXGqANxcOHg</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2531423357</pqid></control><display><type>article</type><title>A Rule Mining-Based Advanced Persistent Threats Detection System</title><source>Free E- Journals</source><creator>Sidahmed Benabderrahmane ; Berrada, Ghita ; Cheney, James ; Valtchev, Petko</creator><creatorcontrib>Sidahmed Benabderrahmane ; Berrada, Ghita ; Cheney, James ; Valtchev, Petko</creatorcontrib><description>Advanced persistent threats (APT) are stealthy cyber-attacks that are aimed at stealing valuable information from target organizations and tend to extend in time. Blocking all APTs is impossible, security experts caution, hence the importance of research on early detection and damage limitation. Whole-system provenance-tracking and provenance trace mining are considered promising as they can help find causal relationships between activities and flag suspicious event sequences as they occur. We introduce an unsupervised method that exploits OS-independent features reflecting process activity to detect realistic APT-like attacks from provenance traces. Anomalous processes are ranked using both frequent and rare event associations learned from traces. Results are then presented as implications which, since interpretable, help leverage causality in explaining the detected anomalies. When evaluated on Transparent Computing program datasets (DARPA), our method outperformed competing approaches.</description><identifier>EISSN: 2331-8422</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Anomalies ; Cybersecurity ; Damage detection</subject><ispartof>arXiv.org, 2021-05</ispartof><rights>2021. This work is published under http://arxiv.org/licenses/nonexclusive-distrib/1.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>780,784</link.rule.ids></links><search><creatorcontrib>Sidahmed Benabderrahmane</creatorcontrib><creatorcontrib>Berrada, Ghita</creatorcontrib><creatorcontrib>Cheney, James</creatorcontrib><creatorcontrib>Valtchev, Petko</creatorcontrib><title>A Rule Mining-Based Advanced Persistent Threats Detection System</title><title>arXiv.org</title><description>Advanced persistent threats (APT) are stealthy cyber-attacks that are aimed at stealing valuable information from target organizations and tend to extend in time. Blocking all APTs is impossible, security experts caution, hence the importance of research on early detection and damage limitation. Whole-system provenance-tracking and provenance trace mining are considered promising as they can help find causal relationships between activities and flag suspicious event sequences as they occur. We introduce an unsupervised method that exploits OS-independent features reflecting process activity to detect realistic APT-like attacks from provenance traces. Anomalous processes are ranked using both frequent and rare event associations learned from traces. Results are then presented as implications which, since interpretable, help leverage causality in explaining the detected anomalies. When evaluated on Transparent Computing program datasets (DARPA), our method outperformed competing approaches.</description><subject>Anomalies</subject><subject>Cybersecurity</subject><subject>Damage detection</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2021</creationdate><recordtype>article</recordtype><sourceid>ABUWG</sourceid><sourceid>AFKRA</sourceid><sourceid>AZQEC</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><recordid>eNpjYuA0MjY21LUwMTLiYOAtLs4yMDAwMjM3MjU15mRwcFQIKs1JVfDNzMvMS9d1SixOTVFwTClLzEsGMgJSi4ozi0tS80oUQjKKUhNLihVcUktSk0sy8_MUgiuBMrk8DKxpiTnFqbxQmptB2c01xNlDt6Aov7A0tbgkPiu_tCgPKBVvZGpsaAJ0i6m5MXGqANxcOHg</recordid><startdate>20210520</startdate><enddate>20210520</enddate><creator>Sidahmed Benabderrahmane</creator><creator>Berrada, Ghita</creator><creator>Cheney, James</creator><creator>Valtchev, Petko</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope></search><sort><creationdate>20210520</creationdate><title>A Rule Mining-Based Advanced Persistent Threats Detection System</title><author>Sidahmed Benabderrahmane ; Berrada, Ghita ; Cheney, James ; Valtchev, Petko</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-proquest_journals_25314233573</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2021</creationdate><topic>Anomalies</topic><topic>Cybersecurity</topic><topic>Damage detection</topic><toplevel>online_resources</toplevel><creatorcontrib>Sidahmed Benabderrahmane</creatorcontrib><creatorcontrib>Berrada, Ghita</creatorcontrib><creatorcontrib>Cheney, James</creatorcontrib><creatorcontrib>Valtchev, Petko</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science &amp; Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Access via ProQuest (Open Access)</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering Collection</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Sidahmed Benabderrahmane</au><au>Berrada, Ghita</au><au>Cheney, James</au><au>Valtchev, Petko</au><format>book</format><genre>document</genre><ristype>GEN</ristype><atitle>A Rule Mining-Based Advanced Persistent Threats Detection System</atitle><jtitle>arXiv.org</jtitle><date>2021-05-20</date><risdate>2021</risdate><eissn>2331-8422</eissn><abstract>Advanced persistent threats (APT) are stealthy cyber-attacks that are aimed at stealing valuable information from target organizations and tend to extend in time. Blocking all APTs is impossible, security experts caution, hence the importance of research on early detection and damage limitation. Whole-system provenance-tracking and provenance trace mining are considered promising as they can help find causal relationships between activities and flag suspicious event sequences as they occur. We introduce an unsupervised method that exploits OS-independent features reflecting process activity to detect realistic APT-like attacks from provenance traces. Anomalous processes are ranked using both frequent and rare event associations learned from traces. Results are then presented as implications which, since interpretable, help leverage causality in explaining the detected anomalies. When evaluated on Transparent Computing program datasets (DARPA), our method outperformed competing approaches.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier EISSN: 2331-8422
ispartof arXiv.org, 2021-05
issn 2331-8422
language eng
recordid cdi_proquest_journals_2531423357
source Free E- Journals
subjects Anomalies
Cybersecurity
Damage detection
title A Rule Mining-Based Advanced Persistent Threats Detection System
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-01T13%3A46%3A52IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=document&rft.atitle=A%20Rule%20Mining-Based%20Advanced%20Persistent%20Threats%20Detection%20System&rft.jtitle=arXiv.org&rft.au=Sidahmed%20Benabderrahmane&rft.date=2021-05-20&rft.eissn=2331-8422&rft_id=info:doi/&rft_dat=%3Cproquest%3E2531423357%3C/proquest%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2531423357&rft_id=info:pmid/&rfr_iscdi=true