E-Audit: Distinguishing and investigating suspicious events for APTs attack detection

Abstract

To detect Advanced Persistent Threats (APTs), recent research efforts focus on modeling the common attack kill chain. The provenance graph is one of the proven techniques which maintains a long-term historic correlation of the attack stages to model the kill chain. However, it is overwhelming to model the kill chain by inspecting the high volume of system events. The paper proposes E-Audit, a hybrid (event-correlation and classification) approach to model the APT kill chain based on threat-likely events that are suspicious events on the system. E-Audit first distinguishes the threat-likely events and builds a provenance graph for threat-likely events only. Second, it assesses the APT campaigns, identifies the attack-irrelevant campaigns, and removes the corresponding paths from the graph. The novel sequence-based model assesses the APT campaigns as a sequence to identify the attack-relevant and attack-irrelevant campaigns. We evaluated the effectiveness of E-Audit over the audit logs dataset. We validated it in real-time using audit logs generated over the enterprise network set-up. The experimental results show that E-Audit can distinguish 668 threat-likely events from the 183223 system events in 174 ms on average and effectively detect the APT attacks with 99.71% accuracy and generate the kill chain.