KIT | KIT-Bibliothek | Impressum | Datenschutz

Accurate and Scalable Detection and Investigation of Cyber Persistence Threats

Liu, Qi ORCID iD icon 1; Shoaib, Muhammad; Rehman, Mati Ur; Bao, Kaibin ORCID iD icon 1; Hagenmeyer, Veit ORCID iD icon 1; Hassan, Wajih Ul
1 Institut für Automation und angewandte Informatik (IAI), Karlsruher Institut für Technologie (KIT)

Abstract (englisch):

In Advanced Persistent Threat (APT) attacks, achieving stealthy persistence within target systems is often crucial for an attacker’s success.
This persistence allows adversaries to maintain prolonged access, often evading detection mechanisms. Recognizing its pivotal role in the APT lifecycle, this paper introduces Cyber Persistence Detector (CPD), a novel system dedicated to detecting cyber persistence through provenance analytics. CPD is founded on the insight that persistent operations typically manifest in two phases: the ``persistence setup'' and the subsequent ``persistence execution''. By causally relating these phases, we enhance our ability to detect persistent threats.
First, CPD discerns setups signaling an impending persistent threat and then traces processes linked to remote connections to identify persistence execution activities. A key feature of our system is the introduction of \emph{pseudo-dependency edges} (pseudo-edges), which effectively connect these disjoint phases using data provenance analysis, and \emph{expert-guided edges}, which enable faster tracing and reduced log size. These edges empower us to detect persistence threats accurately and efficiently. ... mehr


Verlagsausgabe §
DOI: 10.5445/IR/1000193013
Veröffentlicht am 06.05.2026
Originalveröffentlichung
DOI: 10.1109/TDSC.2026.3689905
Cover der Publikation
Zugehörige Institution(en) am KIT Institut für Automation und angewandte Informatik (IAI)
Publikationstyp Zeitschriftenaufsatz
Publikationsjahr 2026
Sprache Englisch
Identifikator ISSN: 1545-5971, 1941-0018, 2160-9209
KITopen-ID: 1000193013
HGF-Programm 37.12.01 (POF IV, LK 01) Digitalization & System Technology for Flexibility Solutions
Weitere HGF-Programme 46.23.02 (POF IV, LK 01) Engineering Security for Energy Systems
Erschienen in IEEE Transactions on Dependable and Secure Computing
Verlag Institute of Electrical and Electronics Engineers (IEEE)
Seiten 1–18
Schlagwörter Advanced Persistence Threat detection,, data provenance analysis
Nachgewiesen in OpenAlex
Scopus
KIT – Die Universität in der Helmholtz-Gemeinschaft
KITopen Landing Page