KIT | KIT-Bibliothek | Impressum | Datenschutz

Accurate and Scalable Detection and Investigation of Cyber Persistence Threats

Liu, Qi ORCID iD icon 1; Shoaib, Muhammad; Rehman, Mati Ur; Bao, Kaibin ORCID iD icon 1; Hagenmeyer, Veit ORCID iD icon 1; Hassan, Wajih Ul
1 Institut für Automation und angewandte Informatik (IAI), Karlsruher Institut für Technologie (KIT)

Abstract:

In Advanced Persistent Threat (APT) attacks, achieving stealthy persistence within target systems is often crucial for an attacker's success. This persistence allows adversaries to maintain prolonged access, often evading detection mechanisms. Recognizing its pivotal role in the APT lifecycle, this paper introduces Cyber Persistence Detector (CPD), a novel system dedicated to detecting cyber persistence through provenance analytics. CPD is founded on the insight that persistent operations typically manifest in two phases: the "persistence setup" and the subsequent "persistence execution". By causally relating these phases, we enhance our ability to detect persistent threats. First, CPD discerns setups signaling an impending persistent threat and then traces processes linked to remote connections to identify persistence execution activities. A key feature of our system is the introduction of pseudo-dependency edges (pseudo-edges), which effectively connect these disjoint phases using data provenance analysis, and expert-guided edges, which enable faster tracing and reduced log size. These edges empower us to detect persistence threats accurately and efficiently. ... mehr


Volltext §
DOI: 10.5445/IR/1000175792
Veröffentlicht am 31.10.2024
Originalveröffentlichung
DOI: 10.48550/arXiv.2407.18832
Cover der Publikation
Zugehörige Institution(en) am KIT Institut für Automation und angewandte Informatik (IAI)
Publikationstyp Forschungsbericht/Preprint
Publikationsjahr 2024
Sprache Englisch
Identifikator KITopen-ID: 1000175792
HGF-Programm 37.12.01 (POF IV, LK 01) Digitalization & System Technology for Flexibility Solutions
Weitere HGF-Programme 46.23.02 (POF IV, LK 01) Engineering Security for Energy Systems
Verlag arxiv
Schlagwörter Advanced Persistence Threat detection, data provenance analysis
Nachgewiesen in arXiv
KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft
KITopen Landing Page