TY - JOUR
T1 - Conan
T2 - A Practical Real-Time APT Detection System with High Accuracy and Efficiency
AU - Xiong, Chunlin
AU - Zhu, Tiantian
AU - Dong, Weihao
AU - Ruan, Linqi
AU - Yang, Runqing
AU - Cheng, Yueqiang
AU - Chen, Yan
AU - Cheng, Shuai
AU - Chen, Xutong
N1 - Publisher Copyright:
© 2004-2012 IEEE.
PY - 2022
Y1 - 2022
N2 - Advanced Persistent Threat (APT) attacks have caused serious security threats and financial losses worldwide. Various real-time detection mechanisms that combine context information and provenance graphs have been proposed to defend against APT attacks. However, existing real-time APT detection mechanisms suffer from accuracy and efficiency issues due to inaccurate detection models and the growing size of provenance graphs. To address the accuracy issue, we propose a novel and accurate APT detection model that removes unnecessary phases and focuses on the remaining ones with improved definitions. To address the efficiency issue, we propose a state-based framework in which events are consumed as streams and each entity is represented in an FSA-like structure without storing historic data. Additionally, we reconstruct attack scenarios by storing just one in a thousand events in a database. Finally, we implement our design, called Conan, on Windows and conduct comprehensive experiments under real-world scenarios to show that Conan can accurately and efficiently detect all attacks within our evaluation. The memory usage and CPU efficiency of Conan remain constant over time (1-10 MB of memory and hundreds of times faster than data generation), making Conan a practical design for detecting both known and unknown APT attacks in real-world scenarios.
AB - Advanced Persistent Threat (APT) attacks have caused serious security threats and financial losses worldwide. Various real-time detection mechanisms that combine context information and provenance graphs have been proposed to defend against APT attacks. However, existing real-time APT detection mechanisms suffer from accuracy and efficiency issues due to inaccurate detection models and the growing size of provenance graphs. To address the accuracy issue, we propose a novel and accurate APT detection model that removes unnecessary phases and focuses on the remaining ones with improved definitions. To address the efficiency issue, we propose a state-based framework in which events are consumed as streams and each entity is represented in an FSA-like structure without storing historic data. Additionally, we reconstruct attack scenarios by storing just one in a thousand events in a database. Finally, we implement our design, called Conan, on Windows and conduct comprehensive experiments under real-world scenarios to show that Conan can accurately and efficiently detect all attacks within our evaluation. The memory usage and CPU efficiency of Conan remain constant over time (1-10 MB of memory and hundreds of times faster than data generation), making Conan a practical design for detecting both known and unknown APT attacks in real-world scenarios.
KW - Advanced persistent threat
KW - hosted-based security
KW - real-time detection
UR - http://www.scopus.com/inward/record.url?scp=85123637125&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85123637125&partnerID=8YFLogxK
U2 - 10.1109/TDSC.2020.2971484
DO - 10.1109/TDSC.2020.2971484
M3 - Article
AN - SCOPUS:85123637125
SN - 1545-5971
VL - 19
SP - 551
EP - 565
JO - IEEE Transactions on Dependable and Secure Computing
JF - IEEE Transactions on Dependable and Secure Computing
IS - 1
ER -