An end-to-end method for advanced persistent threats reconstruction in large-scale networks based on alert and log correlation

Abstract

Nowadays, advanced persistent threats (APTs) compromise critical large-scale networks more frequently, however, detecting these APTs is difficult. Since security sensors often miss some key steps of APTs, a lot of missed alerts exist. Moreover, large-scale networks often generate thousands of repeated alerts every day. To address this issue, a novel method for APT reconstruction in large-scale networks is proposed for attack forensics and traceability in this paper. Additionally, the proposed method consumes low transmission cost, and it doesn't require raw data from terminal devices, which makes it more appropriate for large-scale networks with numerous terminal devices. Specifically, an alert reduction and correlation method is first designed to reduce the alert volume. Then, these alerts are transformed into an alert graph, and the key missed alerts are obtained by searching history alerts and logs using Monte Carlo Tree Search (MCTS), which fast assembles multi-stage attacks with high confidence. The evaluation results on the modified CSE-CIC-IDS-2018 dataset indicate that the proposed method is robust against false negatives. Compared with other research, the proposed method has more advantages in efficiency and accuracy, and it can detect APTs within a longer time horizon.