A Rule Mining-Based Advanced Persistent Threats Detection System

Sidahmed Benabderrahmane*, Ghita Berrada, James Cheney, Petko Valtchev

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Advanced persistent threats (APT) are stealthy cyber-attacks that are aimed at stealing valuable information from target organizations and tend to extend in time. Blocking all APTs is impossible, security experts caution, hence the importance of research on early detection and damage limitation. Whole-system provenance-tracking and provenance trace mining are considered promising as they can help find causal relationships between activities and flag suspicious event sequences as they occur. We introduce an unsupervised method that exploits OS-independent features reflecting process activity to detect realistic APT-like attacks from provenance traces. Anomalous processes are ranked using both frequent and rare event associations learned from traces. Results are then presented as implications which, since interpretable, help leverage causality in explaining the detected anomalies. When evaluated on Transparent Computing program datasets (DARPA), our method outperformed competing approaches.
Original languageEnglish
Title of host publicationProceedings of the Thirtieth International Joint Conference on Artificial Intelligence (IJCAI-21)
Place of PublicationMontreal, Canada
PublisherIJCAI Inc
Pages3589-3596
Number of pages8
ISBN (Electronic)9780999241196
DOIs
Publication statusPublished - 19 Aug 2021
Event30th International Joint Conference on Artificial Intelligence - Montreal, Canada
Duration: 19 Aug 202126 Aug 2021
https://ijcai-21.org/

Conference

Conference30th International Joint Conference on Artificial Intelligence
Abbreviated titleIJCAI 2021
Country/TerritoryCanada
CityMontreal
Period19/08/2126/08/21
Internet address

Keywords

  • Security and privacy
  • Frequent Pattern Mining
  • Anomaly/Outlier Detection

Cite this