8 research outputs found
POIROT: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting
Cyber threat intelligence (CTI) is being used to search for indicators of
attacks that might have compromised an enterprise network for a long time
without being discovered. To have a more effective analysis, CTI open standards
have incorporated descriptive relationships showing how the indicators or
observables are related to each other. However, these relationships are either
completely overlooked in information gathering or not used for threat hunting.
In this paper, we propose a system, called POIROT, which uses these
correlations to uncover the steps of a successful attack campaign. We use
kernel audits as a reliable source that covers all causal relations and
information flows among system entities and model threat hunting as an inexact
graph pattern matching problem. Our technical approach is based on a novel
similarity metric which assesses an alignment between a query graph constructed
out of CTI correlations and a provenance graph constructed out of kernel audit
log records. We evaluate POIROT on publicly released real-world incident
reports as well as reports of an adversarial engagement designed by DARPA,
including ten distinct attack campaigns against different OS platforms such as
Linux, FreeBSD, and Windows. Our evaluation results show that POIROT is capable
of searching inside graphs containing millions of nodes and pinpoint the
attacks in a few minutes, and the results serve to illustrate that CTI
correlations could be used as robust and reliable artifacts for threat hunting.Comment: The final version of this paper is going to appear in the ACM SIGSAC
Conference on Computer and Communications Security (CCS'19), November 11-15,
2019, London, United Kingdo
Professional English. Fundamentals of Software Engineering
Посібник містить оригінальні тексти фахового змісту, які супроводжуються термінологічним тематичним вокабуляром та вправами різного методичного спрямування.
Для студентів, які навчаються за напрямами підготовки: «Програмна інженерія», «Комп’ютерні науки» «Комп’ютерна інженерія»
Raphtory: Modelling, Maintenance and Analysis of Distributed Temporal Graphs.
PhD ThesesTemporal graphs capture the development of relationships within data throughout time. This
model ts naturally within a streaming architecture, where new events can be inserted directly
into the graph upon arrival from a data source and be compared to related entities or historical
state. However, the majority of graph processing systems only consider traditional graph analysis
on static data, whilst those which do expand past this often only support batched updating and
delta analysis across graph snapshots. In this work we de ne a temporal property graph model
and the semantics for updating it in both a distributed and non-distributed context. We have
built Raphtory, a distributed temporal graph analytics platform which maintains the full graph
history in memory, leveraging the de ned update semantics to insert streamed events directly into
the model without batching or centralised ordering. In parallel with the ingestion, traditional
and time-aware analytics may be performed on the most up-to-date version of the graph, as
well as any point throughout its history. The depth of history viewed from the perspective of
a time point may also be varied to explore both short and long term patterns within the data.
Through this we extract novel insights over a variety of use cases, including phenomena never
seen before in social networks. Finally, we demonstrate Raphtory's ability to scale both vertically
and horizontally, handling consistent throughput in excess of 100,000 updates a second alongside
the ingestion and maintenance of graphs built from billions of events