RANK: AI-Assisted End-to-End Architecture for Detecting Persistent Attacks in Enterprise Networks
Modern government and enterprise networks are the target of sophisticated multi-step attacks called Advanced Persistent Threats (APTs), designed and carried out by expert adversaries. The prolonged nature of APTs results in overwhelming the analyst with an increasingly impractical number of alerts....
Gespeichert in:
| Veröffentlicht in: | IEEE transactions on dependable and secure computing 2024-07, Vol.21 (4), p.3834-3850 |
|---|---|
| Hauptverfasser: | , , , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | 3850 |
|---|---|
| container_issue | 4 |
| container_start_page | 3834 |
| container_title | IEEE transactions on dependable and secure computing |
| container_volume | 21 |
| creator | Soliman, Hazem M. Sovilj, Dusan Salmon, Geoff Rao, Mohan Mayya, Niranjan |
| description | Modern government and enterprise networks are the target of sophisticated multi-step attacks called Advanced Persistent Threats (APTs), designed and carried out by expert adversaries. The prolonged nature of APTs results in overwhelming the analyst with an increasingly impractical number of alerts. As a result, the challenge of APT detection is ideal for automation through artificial intelligence (AI). In this paper, we propose the first, up to our knowledge, end-to-end AI-assisted architecture for detecting APTs - RANK. We propose advanced algorithms and solutions for four consecutive sub-problems: 1) alert templating and merging, 2) alert graph construction, 3) alert graph partitioning into incidents, and 4) incident scoring and prioritization. Additionally, we discuss the necessary optimizations and techniques enabling the system to operate in a real-time fashion. We evaluate our architecture against the 2000 DARPA, Mordor, as well as a large number of real-world datasets from enterprise networks. Extensive results are provided showing four orders-of-magnitude reduction in the amount of data to be reviewed, innovative extraction and security-aware scoring of incidents. The extracted incidents can be further used for downstream tasks. In our experiments where we have access to a portion of alert labels, we are able achieve 87% balanced accuracy. |
| doi_str_mv | 10.1109/TDSC.2023.3338136 |
| format | Article |
| fullrecord | <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_proquest_journals_3079386723</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>10337612</ieee_id><sourcerecordid>3079386723</sourcerecordid><originalsourceid>FETCH-LOGICAL-c246t-bfe7afd65aa5ac01d38049edb4d86027bcf2c0ae301e077fff985d363e340f343</originalsourceid><addsrcrecordid>eNpNkMFOwzAMhiMEEmPwAEgcInHOSOq0ablVY8DENBCMc5SlDnSDdiSZEG9Py3bgZFv6ftv6CDkXfCQEL64WNy_jUcITGAFALiA7IANRSME4F_lh16cyZWmhxDE5CWHFeSLzQg6IeS7nD9e0nLIyhDpErOikqVhsWVdo6e17HdHGrUfqWk9vsJ_q5o0-of_jm0jLGI1dB1o3XTai3_g6IJ1j_G79OpySI2c-Ap7t65C83k4W43s2e7ybjssZs4nMIls6VMZVWWpMaiwXFeRcFlgtZZVnPFFL6xLLDQIXyJVyzhV5WkEGCJI7kDAkl7u9G99-bTFEvWq3vulOauCqgDxTCXSU2FHWtyF4dLr79tP4Hy247k3q3qTuTeq9yS5zscvUiPiPB1CZSOAXRdtvlA</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>3079386723</pqid></control><display><type>article</type><title>RANK: AI-Assisted End-to-End Architecture for Detecting Persistent Attacks in Enterprise Networks</title><source>IEEE Electronic Library (IEL)</source><creator>Soliman, Hazem M. ; Sovilj, Dusan ; Salmon, Geoff ; Rao, Mohan ; Mayya, Niranjan</creator><creatorcontrib>Soliman, Hazem M. ; Sovilj, Dusan ; Salmon, Geoff ; Rao, Mohan ; Mayya, Niranjan</creatorcontrib><description>Modern government and enterprise networks are the target of sophisticated multi-step attacks called Advanced Persistent Threats (APTs), designed and carried out by expert adversaries. The prolonged nature of APTs results in overwhelming the analyst with an increasingly impractical number of alerts. As a result, the challenge of APT detection is ideal for automation through artificial intelligence (AI). In this paper, we propose the first, up to our knowledge, end-to-end AI-assisted architecture for detecting APTs - RANK. We propose advanced algorithms and solutions for four consecutive sub-problems: 1) alert templating and merging, 2) alert graph construction, 3) alert graph partitioning into incidents, and 4) incident scoring and prioritization. Additionally, we discuss the necessary optimizations and techniques enabling the system to operate in a real-time fashion. We evaluate our architecture against the 2000 DARPA, Mordor, as well as a large number of real-world datasets from enterprise networks. Extensive results are provided showing four orders-of-magnitude reduction in the amount of data to be reviewed, innovative extraction and security-aware scoring of incidents. The extracted incidents can be further used for downstream tasks. In our experiments where we have access to a portion of alert labels, we are able achieve 87% balanced accuracy.</description><identifier>ISSN: 1545-5971</identifier><identifier>EISSN: 1941-0018</identifier><identifier>DOI: 10.1109/TDSC.2023.3338136</identifier><identifier>CODEN: ITDSCM</identifier><language>eng</language><publisher>Washington: IEEE</publisher><subject>Advanced persistent threats ; Algorithms ; Artificial intelligence ; Buildings ; Computer architecture ; Correlation ; Deep learning ; Detectors ; enterprise networks ; intrusion detection ; machine learning ; mathematical optimization ; Merging ; Networks ; Real time ; Security ; security management architecture ; Target detection ; Threat evaluation</subject><ispartof>IEEE transactions on dependable and secure computing, 2024-07, Vol.21 (4), p.3834-3850</ispartof><rights>Copyright IEEE Computer Society 2024</rights><woscitedreferencessubscribed>false</woscitedreferencessubscribed><cites>FETCH-LOGICAL-c246t-bfe7afd65aa5ac01d38049edb4d86027bcf2c0ae301e077fff985d363e340f343</cites><orcidid>0009-0004-8205-7306 ; 0009-0006-6640-5299 ; 0000-0001-9377-3528 ; 0009-0009-2108-6812 ; 0009-0004-5655-3015</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/10337612$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,777,781,793,27906,27907,54740</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/10337612$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Soliman, Hazem M.</creatorcontrib><creatorcontrib>Sovilj, Dusan</creatorcontrib><creatorcontrib>Salmon, Geoff</creatorcontrib><creatorcontrib>Rao, Mohan</creatorcontrib><creatorcontrib>Mayya, Niranjan</creatorcontrib><title>RANK: AI-Assisted End-to-End Architecture for Detecting Persistent Attacks in Enterprise Networks</title><title>IEEE transactions on dependable and secure computing</title><addtitle>TDSC</addtitle><description>Modern government and enterprise networks are the target of sophisticated multi-step attacks called Advanced Persistent Threats (APTs), designed and carried out by expert adversaries. The prolonged nature of APTs results in overwhelming the analyst with an increasingly impractical number of alerts. As a result, the challenge of APT detection is ideal for automation through artificial intelligence (AI). In this paper, we propose the first, up to our knowledge, end-to-end AI-assisted architecture for detecting APTs - RANK. We propose advanced algorithms and solutions for four consecutive sub-problems: 1) alert templating and merging, 2) alert graph construction, 3) alert graph partitioning into incidents, and 4) incident scoring and prioritization. Additionally, we discuss the necessary optimizations and techniques enabling the system to operate in a real-time fashion. We evaluate our architecture against the 2000 DARPA, Mordor, as well as a large number of real-world datasets from enterprise networks. Extensive results are provided showing four orders-of-magnitude reduction in the amount of data to be reviewed, innovative extraction and security-aware scoring of incidents. The extracted incidents can be further used for downstream tasks. In our experiments where we have access to a portion of alert labels, we are able achieve 87% balanced accuracy.</description><subject>Advanced persistent threats</subject><subject>Algorithms</subject><subject>Artificial intelligence</subject><subject>Buildings</subject><subject>Computer architecture</subject><subject>Correlation</subject><subject>Deep learning</subject><subject>Detectors</subject><subject>enterprise networks</subject><subject>intrusion detection</subject><subject>machine learning</subject><subject>mathematical optimization</subject><subject>Merging</subject><subject>Networks</subject><subject>Real time</subject><subject>Security</subject><subject>security management architecture</subject><subject>Target detection</subject><subject>Threat evaluation</subject><issn>1545-5971</issn><issn>1941-0018</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNpNkMFOwzAMhiMEEmPwAEgcInHOSOq0ablVY8DENBCMc5SlDnSDdiSZEG9Py3bgZFv6ftv6CDkXfCQEL64WNy_jUcITGAFALiA7IANRSME4F_lh16cyZWmhxDE5CWHFeSLzQg6IeS7nD9e0nLIyhDpErOikqVhsWVdo6e17HdHGrUfqWk9vsJ_q5o0-of_jm0jLGI1dB1o3XTai3_g6IJ1j_G79OpySI2c-Ap7t65C83k4W43s2e7ybjssZs4nMIls6VMZVWWpMaiwXFeRcFlgtZZVnPFFL6xLLDQIXyJVyzhV5WkEGCJI7kDAkl7u9G99-bTFEvWq3vulOauCqgDxTCXSU2FHWtyF4dLr79tP4Hy247k3q3qTuTeq9yS5zscvUiPiPB1CZSOAXRdtvlA</recordid><startdate>20240701</startdate><enddate>20240701</enddate><creator>Soliman, Hazem M.</creator><creator>Sovilj, Dusan</creator><creator>Salmon, Geoff</creator><creator>Rao, Mohan</creator><creator>Mayya, Niranjan</creator><general>IEEE</general><general>IEEE Computer Society</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>JQ2</scope><orcidid>https://orcid.org/0009-0004-8205-7306</orcidid><orcidid>https://orcid.org/0009-0006-6640-5299</orcidid><orcidid>https://orcid.org/0000-0001-9377-3528</orcidid><orcidid>https://orcid.org/0009-0009-2108-6812</orcidid><orcidid>https://orcid.org/0009-0004-5655-3015</orcidid></search><sort><creationdate>20240701</creationdate><title>RANK: AI-Assisted End-to-End Architecture for Detecting Persistent Attacks in Enterprise Networks</title><author>Soliman, Hazem M. ; Sovilj, Dusan ; Salmon, Geoff ; Rao, Mohan ; Mayya, Niranjan</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c246t-bfe7afd65aa5ac01d38049edb4d86027bcf2c0ae301e077fff985d363e340f343</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Advanced persistent threats</topic><topic>Algorithms</topic><topic>Artificial intelligence</topic><topic>Buildings</topic><topic>Computer architecture</topic><topic>Correlation</topic><topic>Deep learning</topic><topic>Detectors</topic><topic>enterprise networks</topic><topic>intrusion detection</topic><topic>machine learning</topic><topic>mathematical optimization</topic><topic>Merging</topic><topic>Networks</topic><topic>Real time</topic><topic>Security</topic><topic>security management architecture</topic><topic>Target detection</topic><topic>Threat evaluation</topic><toplevel>online_resources</toplevel><creatorcontrib>Soliman, Hazem M.</creatorcontrib><creatorcontrib>Sovilj, Dusan</creatorcontrib><creatorcontrib>Salmon, Geoff</creatorcontrib><creatorcontrib>Rao, Mohan</creatorcontrib><creatorcontrib>Mayya, Niranjan</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>ProQuest Computer Science Collection</collection><jtitle>IEEE transactions on dependable and secure computing</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Soliman, Hazem M.</au><au>Sovilj, Dusan</au><au>Salmon, Geoff</au><au>Rao, Mohan</au><au>Mayya, Niranjan</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>RANK: AI-Assisted End-to-End Architecture for Detecting Persistent Attacks in Enterprise Networks</atitle><jtitle>IEEE transactions on dependable and secure computing</jtitle><stitle>TDSC</stitle><date>2024-07-01</date><risdate>2024</risdate><volume>21</volume><issue>4</issue><spage>3834</spage><epage>3850</epage><pages>3834-3850</pages><issn>1545-5971</issn><eissn>1941-0018</eissn><coden>ITDSCM</coden><abstract>Modern government and enterprise networks are the target of sophisticated multi-step attacks called Advanced Persistent Threats (APTs), designed and carried out by expert adversaries. The prolonged nature of APTs results in overwhelming the analyst with an increasingly impractical number of alerts. As a result, the challenge of APT detection is ideal for automation through artificial intelligence (AI). In this paper, we propose the first, up to our knowledge, end-to-end AI-assisted architecture for detecting APTs - RANK. We propose advanced algorithms and solutions for four consecutive sub-problems: 1) alert templating and merging, 2) alert graph construction, 3) alert graph partitioning into incidents, and 4) incident scoring and prioritization. Additionally, we discuss the necessary optimizations and techniques enabling the system to operate in a real-time fashion. We evaluate our architecture against the 2000 DARPA, Mordor, as well as a large number of real-world datasets from enterprise networks. Extensive results are provided showing four orders-of-magnitude reduction in the amount of data to be reviewed, innovative extraction and security-aware scoring of incidents. The extracted incidents can be further used for downstream tasks. In our experiments where we have access to a portion of alert labels, we are able achieve 87% balanced accuracy.</abstract><cop>Washington</cop><pub>IEEE</pub><doi>10.1109/TDSC.2023.3338136</doi><tpages>17</tpages><orcidid>https://orcid.org/0009-0004-8205-7306</orcidid><orcidid>https://orcid.org/0009-0006-6640-5299</orcidid><orcidid>https://orcid.org/0000-0001-9377-3528</orcidid><orcidid>https://orcid.org/0009-0009-2108-6812</orcidid><orcidid>https://orcid.org/0009-0004-5655-3015</orcidid></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | ISSN: 1545-5971 |
| ispartof | IEEE transactions on dependable and secure computing, 2024-07, Vol.21 (4), p.3834-3850 |
| issn | 1545-5971 1941-0018 |
| language | eng |
| recordid | cdi_proquest_journals_3079386723 |
| source | IEEE Electronic Library (IEL) |
| subjects | Advanced persistent threats Algorithms Artificial intelligence Buildings Computer architecture Correlation Deep learning Detectors enterprise networks intrusion detection machine learning mathematical optimization Merging Networks Real time Security security management architecture Target detection Threat evaluation |
| title | RANK: AI-Assisted End-to-End Architecture for Detecting Persistent Attacks in Enterprise Networks |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-17T09%3A27%3A33IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=RANK:%20AI-Assisted%20End-to-End%20Architecture%20for%20Detecting%20Persistent%20Attacks%20in%20Enterprise%20Networks&rft.jtitle=IEEE%20transactions%20on%20dependable%20and%20secure%20computing&rft.au=Soliman,%20Hazem%20M.&rft.date=2024-07-01&rft.volume=21&rft.issue=4&rft.spage=3834&rft.epage=3850&rft.pages=3834-3850&rft.issn=1545-5971&rft.eissn=1941-0018&rft.coden=ITDSCM&rft_id=info:doi/10.1109/TDSC.2023.3338136&rft_dat=%3Cproquest_RIE%3E3079386723%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=3079386723&rft_id=info:pmid/&rft_ieee_id=10337612&rfr_iscdi=true |