Researchers point out that APTs (Advanced Persistent Threats) cause financial harm to organizations. For APT modeling, provenance graphs may be used to cut down on these losses and make detection better. This shows how important real-time systems are.
Current online systems prioritize simplicity but create complex graphs, making it tough for administrators to interpret results.
The following cybersecurity researchers from their respective universities and organizations recently designed a first-ever online system for APT attack detection, “NODLINK”:-
- Shaofei Li (Key Laboratory of High-Confidence Software Technologies (MOE))
- Feng Dong (Huazhong University of Science and Technology)
- Xusheng Xiao (Arizona State University)
- Haoyu Wang (Huazhong University of Science and Technology)
- Fei Shao (Case Western Reserve University)
- Jiedong Chen (Sangfor Technologies Inc.)
- Yao Guo (Key Laboratory of High-Confidence Software Technologies (MOE))
- Xiangqun Chen (Key Laboratory of High-Confidence Software Technologies (MOE))
- Ding Li (Key Laboratory of High-Confidence Software Technologies (MOE))
Technical Analysis
To combat APT attacks, practitioners and researchers analyze system events in provenance data. Current systems mainly offer postmortem analysis, causing delays and significant financial losses.
Researchers create online systems for real-time APT detection, which offers quick responses and fewer false positives, enhancing APT investigation efficiency.
Creating accurate, cost-effective online APT detection is challenging. Provenance-based systems need to balance accuracy, timeliness, and resource constraints.
Ensure your Cyber Resiliance with the recent wave of cyber-attacks targeting the financial services sector. Almost 60% respondents not confident to recover fully from a cyber attack.
Researchers deploy NODLINK to Sangfor’s SOC and test it in real-world scenarios, outperforming HOLMES and UNICORN in detecting attacks with fewer false positives.
Online STP aims to minimize costs while connecting revealed vertices in a graph. It’s an NP-complete problem with fixed approximation.
NODLINK is an online APT detection system that processes provenance event streams to produce concise alert graphs and, via the following four phases, detects the anomalies every 10 seconds:-
- In Memory Cache Building
- Terminal Identification
- Hopset Construction
- Comprehensive Detection
To detect long-term attacks, NODLINK stores node information in a graph database and uses unique md5 values for retrieval. This allows it to detect entire APT attack campaigns.
NODLINK uses a VAE model to assess process nodes’ anomaly scores for terminal detection. It measures the difference between input and reconstructed vectors, mitigating false positives for unstable processes.
For NODLINK to be able to find things online, it needs to train its FastText, VAE, and SV models offline and use historical data to set thresholds for oddities.
However, apart from this, NODLINK remains robust to minor attack data in training sets due to Grubbs’s test and VAE. Testing with polluted datasets confirmed its accuracy and it’s versatile across various operating systems.
Apart from this, NODLINK offers fine-grained APT detection in real-time, outperforming existing systems by efficiently allocating resources to suspicious events.
Patch Manager Plus: Automatically Patch over 850 third-party applications quickly – Try Free Trial.
Also Read:
New BLISTER Malware Leverages Valid Code Signing Certificates to Evade Detection
Hackers Behind the Emotet Malware Now Attacking Government Entities