A Rule Mining-Based Advanced Persistent Threats Detection System

Sidahmed Benabderrahmane; Ghita Berrada; James Cheney; Petko Valtchev

doi:10.24963/ijcai.2021/494

A Rule Mining-Based Advanced Persistent Threats Detection System

Sidahmed Benabderrahmane^*, Ghita Berrada, James Cheney, Petko Valtchev

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Advanced persistent threats (APT) are stealthy cyber-attacks that are aimed at stealing valuable information from target organizations and tend to extend in time. Blocking all APTs is impossible, security experts caution, hence the importance of research on early detection and damage limitation. Whole-system provenance-tracking and provenance trace mining are considered promising as they can help find causal relationships between activities and flag suspicious event sequences as they occur. We introduce an unsupervised method that exploits OS-independent features reflecting process activity to detect realistic APT-like attacks from provenance traces. Anomalous processes are ranked using both frequent and rare event associations learned from traces. Results are then presented as implications which, since interpretable, help leverage causality in explaining the detected anomalies. When evaluated on Transparent Computing program datasets (DARPA), our method outperformed competing approaches.

Original language	English
Title of host publication	Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence (IJCAI-21)
Place of Publication	Montreal, Canada
Publisher	IJCAI Inc
Pages	3589-3596
Number of pages	8
ISBN (Electronic)	9780999241196
DOIs	https://doi.org/10.24963/ijcai.2021/494
Publication status	Published - 19 Aug 2021
Event	30th International Joint Conference on Artificial Intelligence - Montreal, Canada Duration: 19 Aug 2021 → 26 Aug 2021 https://ijcai-21.org/

Conference

Conference	30th International Joint Conference on Artificial Intelligence
Abbreviated title	IJCAI 2021
Country/Territory	Canada
City	Montreal
Period	19/08/21 → 26/08/21
Internet address	https://ijcai-21.org/

Keywords

Security and privacy
Frequent Pattern Mining
Anomaly/Outlier Detection

Access to Document

10.24963/ijcai.2021/494Licence: All Rights Reserved

2105.10053v1Accepted author manuscript, 357 KBLicence: All Rights Reserved

https://www.ijcai.org/proceedings/2021/0494Licence: All Rights Reserved

Skye-A programming language bridging theory and practice for scientific data curation
Cheney, J.
EU government bodies
1/09/16 → 31/08/22
Project: Research
A Diagnostics Approach to Persistent Threat Detection (ADAPT)
Cheney, J.
Non-EU other
26/06/15 → 30/06/19
Project: Research

Cite this

@inproceedings{9d48842d724a43db8eaa2b2fdbffa9a3,

title = "A Rule Mining-Based Advanced Persistent Threats Detection System",

abstract = "Advanced persistent threats (APT) are stealthy cyber-attacks that are aimed at stealing valuable information from target organizations and tend to extend in time. Blocking all APTs is impossible, security experts caution, hence the importance of research on early detection and damage limitation. Whole-system provenance-tracking and provenance trace mining are considered promising as they can help find causal relationships between activities and flag suspicious event sequences as they occur. We introduce an unsupervised method that exploits OS-independent features reflecting process activity to detect realistic APT-like attacks from provenance traces. Anomalous processes are ranked using both frequent and rare event associations learned from traces. Results are then presented as implications which, since interpretable, help leverage causality in explaining the detected anomalies. When evaluated on Transparent Computing program datasets (DARPA), our method outperformed competing approaches. ",

keywords = "Security and privacy, Frequent Pattern Mining, Anomaly/Outlier Detection",

author = "Sidahmed Benabderrahmane and Ghita Berrada and James Cheney and Petko Valtchev",

year = "2021",

month = aug,

day = "19",

doi = "10.24963/ijcai.2021/494",

language = "English",

pages = "3589--3596",

booktitle = "Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence (IJCAI-21)",

publisher = "IJCAI Inc",

note = "30th International Joint Conference on Artificial Intelligence, IJCAI 2021 ; Conference date: 19-08-2021 Through 26-08-2021",

url = "https://ijcai-21.org/",

}

Benabderrahmane, S, Berrada, G, Cheney, J & Valtchev, P 2021, A Rule Mining-Based Advanced Persistent Threats Detection System. in Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence (IJCAI-21). IJCAI Inc, Montreal, Canada, pp. 3589-3596, 30th International Joint Conference on Artificial Intelligence, Montreal, Quebec, Canada, 19/08/21. https://doi.org/10.24963/ijcai.2021/494

TY - GEN

T1 - A Rule Mining-Based Advanced Persistent Threats Detection System

AU - Benabderrahmane, Sidahmed

AU - Berrada, Ghita

AU - Cheney, James

AU - Valtchev, Petko

PY - 2021/8/19

Y1 - 2021/8/19

N2 - Advanced persistent threats (APT) are stealthy cyber-attacks that are aimed at stealing valuable information from target organizations and tend to extend in time. Blocking all APTs is impossible, security experts caution, hence the importance of research on early detection and damage limitation. Whole-system provenance-tracking and provenance trace mining are considered promising as they can help find causal relationships between activities and flag suspicious event sequences as they occur. We introduce an unsupervised method that exploits OS-independent features reflecting process activity to detect realistic APT-like attacks from provenance traces. Anomalous processes are ranked using both frequent and rare event associations learned from traces. Results are then presented as implications which, since interpretable, help leverage causality in explaining the detected anomalies. When evaluated on Transparent Computing program datasets (DARPA), our method outperformed competing approaches.

AB - Advanced persistent threats (APT) are stealthy cyber-attacks that are aimed at stealing valuable information from target organizations and tend to extend in time. Blocking all APTs is impossible, security experts caution, hence the importance of research on early detection and damage limitation. Whole-system provenance-tracking and provenance trace mining are considered promising as they can help find causal relationships between activities and flag suspicious event sequences as they occur. We introduce an unsupervised method that exploits OS-independent features reflecting process activity to detect realistic APT-like attacks from provenance traces. Anomalous processes are ranked using both frequent and rare event associations learned from traces. Results are then presented as implications which, since interpretable, help leverage causality in explaining the detected anomalies. When evaluated on Transparent Computing program datasets (DARPA), our method outperformed competing approaches.

KW - Security and privacy

KW - Frequent Pattern Mining

KW - Anomaly/Outlier Detection

U2 - 10.24963/ijcai.2021/494

DO - 10.24963/ijcai.2021/494

M3 - Conference contribution

SP - 3589

EP - 3596

BT - Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence (IJCAI-21)

PB - IJCAI Inc

CY - Montreal, Canada

T2 - 30th International Joint Conference on Artificial Intelligence

Y2 - 19 August 2021 through 26 August 2021

ER -

A Rule Mining-Based Advanced Persistent Threats Detection System

Abstract

Conference

Keywords

Access to Document

Projects

Skye-A programming language bridging theory and practice for scientific data curation

A Diagnostics Approach to Persistent Threat Detection (ADAPT)

Cite this