基于系统溯源图的威胁发现与取证分析综述

doi:10.11959/j.issn.1000-436x.2022105

Abstract

Abstract:

By investigating works of literature related to provenance graph research, a research framework for network threat discovery and forensic analysis based on system-level provenance graph was proposed.A detailed overview of data collection, data management, data query, and visualization methods based on provenance graphs was provided.The rule-based, anomaly-based, and learning-based threat detection classification methods were proposed.Threats based on threat intelligence or based on strategy, technology, and process-driven threats hunting methods were summarized.Forensic analysis methods based on causality, sequence learning, language query and semantic reconstruction in special fields were summarized.Finally, the future research trends were pointed out.

Key words: provenance graph, advanced persistent threat, threat discovery, forensic analysis, graph neural network

CLC Number:

TP391

Tao LENG, Lijun CAI, Aimin YU, Ziyuan ZHU, Jian’gang MA, Chaofei LI, Ruicheng NIU, Dan MENG. Review of threat discovery and forensic analysis based on system provenance graph[J]. Journal on Communications, 2022, 43(7): 172-188.

Figures/Tables 7

分类方法		文献	方法	案例研究	评价方案（结果）
	执行单元分区	Ma等^[31]	解析ETW日志为单元，执行后向追踪/前向追踪	错误配置，钓鱼攻击，信息泄露，间谍软件	有效性：匹配正确
		ProPatrol^[92]	应用程序执行单元分区（浏览器、邮件等客户端）	远程访问木马，挂马，CSRF and DNS 重定向，即时消息客户端	找出根源，给出还原的因果关系图
	污点分析	Morse^[46] Newsome等^[94] Yin等^[95]	标签传播，重构场景图入口点识别（后向查询），前向分析	Firefox 后门，浏览器扩展，恶意http请求，CCleaner，勒索软件，横向移动，内核恶意软件	给出攻击案例的溯源场景图（入口点和前向分析）
基于因果关系	记录和重放	RTAG^[26]	跨主机调查	6个攻击场景	信息流匹配事实真相（100%）
	模型推断	LDX^[97],MCI^[98]	代码双执行，MCI利用LDX	钓鱼邮件和伪装的FTP服务器利用InfoZip进行信息窃取	给出利用MCI模型生成的因果图
		PrioTracker^[55]	优先考虑异常依赖边前向追踪	3 个案例攻击图（数据窃取、钓鱼邮件、Shellshock后门）	给出缩减版前向溯源图
	通用溯源	NoDoze^[53]	考虑整个事件链条异常后向查询/前向查询	10 个攻击（数据窃取、Shellshock后门等）	完整性：通过溯源图能找到攻击依赖图的比率。生成精确的警告依赖图（1个88%，9个100%）
		OmegaLog^[22]	修改整个系统溯源图，增加app 日志顶点，形成富含语义、执行分区的通用溯源图	信息泄露攻击，钓鱼邮件	给出传统溯源图和基于OmegaLog的语义溯源图对比
基于序列学习		ATLAS^[102]	序列词法化，采样，序列嵌入，模型学习调查：攻击实体识别，关联攻击事件	10个攻击场景（单主机和跨主机2种场景），1个案例调查（Pony campaign）	实体识别和事件识别的精确率、召回率和 F1 值，案例调查给出恢复攻击序列和溯源图
		AIQL^[71]	AIQL查询语言	APT攻击（5个步骤）	完整攻击：查询次数、事件匹配、调查时间
基于特定领域语言查询		GrAALF^[47]	GrAALF查询语言	3个攻击调查案例（DARPA TC 3）	查询结果图
		APTrace^[56]	BDL查询语言	5 个攻击实例，其中钓鱼邮件和恶意Excel宏病毒作为攻击案例	攻击的分析时间，BDL查询语句，生成依赖图
		WATSON^[50]	上下文语义聚合抽象行为	4个数据集，其中DARPA TC 3 trace，恶意数据集（8个实例）调查案例：配置泄露，内容销毁	行为抽象：F1值为92.8%，精确率为92.8%，召回率为94.2%可视化总结行为实例的信息流
		OmegaLog^[22]	多层日志，执行分区	信息泄露攻击，钓鱼邮件	给出OmegaLog的语义溯源图
基于语义重建		UIScope^[33]	关联系统事件和UI事件	6个真实攻击（钓鱼邮件、远程代码执行、Office 宏病毒、基于凭证的攻击、水坑攻击、内部攻击）	判断是否找到入侵的根源（均正确），提供1个案例（远程代码执行）的溯源图
					1) 攻击取证有效性
		ALchemist^[23]	应用程序日志和系统审计	14个攻击实例（含DARPA TC）	审计级日志：精度为 92.8%，召回率为99.6%
				攻击案例调查：渗出攻击、Azazel攻击	应用级日志：精度为 97.7%，召回率为100%
					2) 攻击案例调查的ALchemist因果图

References 105

[1]	BINDE B E , MCCREE R , O’CONNOR T J , . Assessing outbound traffic to uncover advanced persistent threat[R]. 2011.
[2]	ESHETE B , GJOMEMO R , HOSSAIN M N ,et al. Attack analysis results for adversarial engagement 1 of the DARPA transparent computing program[J]. arXiv Preprint,arXiv:1610.06936, 2016.
[3]	HAN X Y , PASQUIER T , SELTZER M . Provenance-based intrusion detection:opportunities and challenges[C]// Proceedings of the 10th USENIX Conference on Theory and Practice of Provenance. Berkeley:USENIX Association, 2018: 1-3.
[4]	ZAFAR F , KHAN A , SUHAIL S ,et al. Trustworthy data:a survey,taxonomy and future trends of secure provenance schemes[J]. Journal of Network and Computer Applications, 2017,94: 50-68.
[5]	TAN C , WANG Q , WANG L N ,et al. Attack provenance tracing in cyberspace:solutions,challenges and future directions[J]. IEEE Network, 2019,33(2): 174-180.
[6]	LI Z Y , CHEN Q A , YANG R Q ,et al. Threat detection and investigation with system-level provenance graphs:a survey[J]. Computers ＆Security, 2021,106:102282.
[7]	潘亚峰, 朱俊虎, 周天阳 . APT 攻击场景重构方法综述[J]. 信息工程大学学报, 2021,22(1): 55-60,80.
	PAN Y F , ZHU J H , ZHOU T Y . Survey on APT attack scenario reconstruction methods[J]. Journal of Information Engineering University, 2021,22(1): 55-60,80.
[8]	KING S T , CHEN P M . Backtracking intrusions[C]// Proceedings of the 19th ACM Symposium on Operating Systems Principles. New York:ACM Press, 2003: 223-236.
[9]	蹇诗婕, 卢志刚, 杜丹 ,等. 网络入侵检测技术综述[J]. 信息安全学报, 2020,5(4): 96-122.
	JIAN S J , LU Z G , DU D ,et al. Overview of network intrusion detection technology[J]. Journal of Cyber Security, 2020,5(4): 96-122.
[10]	徐嘉涔, 王轶骏, 薛质 . 网络空间威胁狩猎的研究综述[J]. 通信技术, 2020,53(1): 1-8.
	XU J C , WANG Y J , XUE Z . Research on threat hunting in cyberspace[J]. Communications Technology, 2020,53(1): 1-8.
[11]	VALENTINA P . Practical threat intelligence and data-driven threat hunting[M]. Birmingham: Packt Publishing, 2021.
[12]	Secjuice. 5 types of threat hunting[EB]. 2021.
[13]	Secjuice. Breach detection-controlling dwell time is about much more than compliance[EB]. 2021.
[14]	CAN S , CAO P . Lineage file system[EB]. 2021.
[15]	MUNISWAMY-REDDY K K , HOLLAND D A , BRAUN U ,et al. Provenance-aware storage systems[C]// Proceedings of the Annual Conference on USENIX’06 Annual Technical Conference. Berkeley:USENIX Association, 2006: 43-56.
[16]	MUNISWAMY-REDDY K K , BRAUN U , HOLLAND D A ,et al. Layering in provenance systems[C]// Proceedings of the 2009 Conference on USENIX Annual Technical Conference. Berkeley:USENIX Association, 2009: 1-10.
[17]	GEHANI A , TARIQ D . SPADE:support for provenance auditing in distributed environments[C]// Lecture Notes in Computer Science. Berlin:Springer, 2012: 101-120.
[18]	POHLY D J , MCLAUGHLIN S , MCDANIEL P ,et al. Hi-Fi:collecting high-fidelity whole-system provenance[C]// Proceedings of the 28th Annual Computer Security Applications Conference. New York:ACM Press, 2012: 259-268.
[19]	BATES A , TIAN D J , BUTLER K R B ,et al. Trustworthy whole-system provenance for the linux kernel[C]// Proceedings of the 24th USENIX Security Symposium. Berkeley:USENIX Association, 2015: 319-334.
[20]	BATES A , BUTLER K , DOBRA A ,et al. Retrofitting applications with provenance-based security monitoring[J]. arXiv Preprint,arXiv:1609.00266, 2016.
[21]	PASQUIER T , HAN X Y , GOLDSTEIN M ,et al. Practical whole-system provenance capture[C]// Proceedings of the 2017 Symposium on Cloud Computing. New York:ACM Press, 2017: 405-418.
[22]	HASSAN W U , NOUREDDINE M A , DATTA P ,et al. OmegaLog:high-fidelity attack investigation via transparent multi-layer log analysis[C]// Proceedings of 2020 Network and Distributed System Security Symposium. Reston:Internet Society, 2020: 1-16.
[23]	YU L , MA S Q , ZHANG Z ,et al. ALchemist:fusing application and audit logs for precise attack provenance without instrumentation[C]// Proceedings of 2021 Network and Distributed System Security Symposium. Reston:Internet Society, 2021: 1-18.
[24]	XIE Y L , FENG D , LIAO X L ,et al. Efficient monitoring and forensic analysis via accurate network-attached provenance collection with minimal storage overhead[J]. Digital Investigation, 2018,26: 19-28.
[25]	HAAS S , SOMMER R , FISCHER M . Zeek-Osquery:host-network correlation for advanced monitoring and intrusion detection[C]// ICT Systems Security and Privacy Protection. Berlin:Springer, 2020: 248-262.
[26]	JI Y , LEE S , FAZZINI M ,et al. Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking[C]// Proceedings of the 27th USENIX Security Symposium. Berkeley:USENIX Association, 2018: 1705-1722.
[27]	JI Y . Efficient and refinable attack investigation[D]. Atlanta:Georgia Institute of Technology, 2019.
[28]	LEE K H , ZHANG X , XU D Y . High accuracy attack provenance via binary-based execution partition[C]// Proceedings of the 20th Network and Distributed System Security Symposium (NDSS’13). Reston:Internet Society, 2013: 1-16.
[29]	MA S Q , ZHANG X Y , XU D Y . ProTracer:towards practical provenance tracing by alternating between logging and tainting[C]// Proceedings of 2016 Network and Distributed System Security Symposium. Reston:Internet Society, 2016: 1-15.
[30]	MA S Q , ZHAI J , WANG F ,et al. MPI:multiple perspective attack investigation with semantic aware execution partitioning[C]// Proceedings of the 26th USENIX Security Symposium. Berkeley:USENIX Association, 2017: 1111-1128.
[31]	MA S Q , LEE K H , KIM C H ,et al. Accurate,low cost and instrumentation-free security audit logging for windows[C]// Proceedings of the 31st Annual Computer Security Applications Conference. New York:ACM Press, 2015: 401-410.
[32]	LEE K H , ZHANG X Y , XU D Y . LogGC:garbage collecting audit log[C]// Proceedings of the 2013 ACM SIGSAC Conference on Computer ＆ Communications Security. New York:ACM Press, 2013: 1005-1016.
[33]	YANG R Q , MA S Q , XU H T ,et al. UIScope:accurate,instrumentation-free,and visible attack investigation for GUI applications[C]// Proceedings of 2020 Network and Distributed System Security Symposium. Reston:Internet Society, 2020: 1-18.
[34]	MANZOOR E , MILAJERDI S M , AKOGLU L . Fast memory-efficient anomaly detection in streaming heterogeneous graphs[C]// Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York:ACM Press, 2016: 1035-1044.
[35]	The CERT Division. Insider threat tools[EB]. 2018.
[36]	KENT A D . Comprehensive,multi-source cyber-security events data set[R]. 2015.
[37]	Transparent computing engagement 5 data release[EB]. 2019.
[38]	ANGELOS K . Transparent computing engagement 3 data release[EB]. 2018.
[39]	ANJUM M M , IQBAL S , HAMELIN B . Analyzing the usefulness of the DARPA OpTC dataset in cyber threat detection research[C]// Proceedings of the 26th ACM Symposium on Access Control Models and Technologies. New York:ACM Press, 2021: 27-32.
[40]	LI Z T , CHENG X , SUN L X ,et al. A hierarchical approach for advanced persistent threat detection with attention-based graph neural networks[J]. Security and Communication Networks,2021, 2021:9961342.
[41]	LI M , LI Q , XUAN G Z ,et al. Identifying compromised hosts under APT using DNS request sequences[J]. Journal of Parallel and Distributed Computing, 2021,152: 67-78.
[42]	LIU F C , WEN Y , ZHANG D X ,et al. Log2vec:a heterogeneous graph embedding based approach for detecting cyber threats within enterprise[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 1777-1794.
[43]	LIU F C , WEN Y , WU Y N ,et al. MLTracer:malicious logins detection system via graph neural network[C]// Proceedings of 2020 IEEE 19th International Conference on Trust,Security and Privacy in Computing and Communications (TrustCom). Piscataway:IEEE Press, 2021: 715-726.
[44]	COCHRANE T , FOSTER P , CHHABRA V ,et al. SK-Tree:a systematic malware detection algorithm on streaming trees via the signature kernel[C]// Proceedings of 2021 IEEE International Conference on Cyber Security and Resilience. Piscataway:IEEE Press, 2021: 35-40.
[45]	HOSSAIN M N , MILAJERDI S M , WANG J ,et al. SLEUTH:Real-time attack scenario reconstruction from COTS audit data[C]// Proceedings of the 26th USENIX Security Symposium. Berkeley:USENIX Association, 2017: 487-504.
[46]	HOSSAIN M N , SHEIKHI S , SEKAR R . Combating dependence explosion in forensic analysis using alternative tag propagation semantics[C]// Proceedings of 2020 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2020: 1139-1155.
[47]	SETAYESHFAR O , ADKINS C , JONES M ,et al. GrAALF:supporting graphical analysis of audit logs for forensics[J]. Software Impacts, 2021,8:100068.
[48]	MILAJERDI S M , GJOMEMO R , ESHETE B ,et al. HOLMES:real-time APT detection through correlation of suspicious information flows[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 1137-1152.
[49]	HOSSAIN M N , WANG J , WEISSE O ,et al. Dependence-preserving data compaction for scalable forensic analysis[C]// Proceedings of the 27th USENIX Security Symposium. Berkeley:USENIX Association, 2018: 1723-1740.
[50]	ZENG J , CHUA Z L , CHEN Y F ,et al. WATSON:abstracting behaviors from audit logs via aggregation of contextual semantics[C]// Proceedings of 2021 Network and Distributed System Security Symposium. Reston:Internet Society, 2021: 1-18.
[51]	BERRADA G , CHENEY J , BENABDERRAHMANE S ,et al. A baseline for unsupervised advanced persistent threat detection in system-level provenance[J]. Future Generation Computer Systems, 2020,108: 401-413.
[52]	BENABDERRAHMANE S , BERRADA G , CHENEY J ,et al. A rule mining-based advanced persistent threats detection system[J]. arXiv Preprint,arXiv:2105.10053, 2021.
[53]	HASSAN W U , GUO S J , LI D ,et al. NoDoze:combatting threat alert fatigue with automated provenance triage[C]// Proceedings of 2019 Network and Distributed System Security Symposium. Reston:Internet Society, 2019: 1-15.
[54]	MYNENI S , CHOWDHARY A , SABUR A ,et al. DAPT 2020 - constructing a benchmark dataset for advanced persistent threats[C]// Deployable Machine Learning for Security Defense. Berlin:Springer, 2020: 138-163.
[55]	LIU Y S , ZHANG M , LI D ,et al. Towards a timely causality analysis for enterprise security[C]// Proceedings of 2018 Network and Distributed System Security Symposium. Reston:Internet Society, 2018: 1-15.
[56]	GUI J P , LI D , CHEN Z Z ,et al. APTrace:a responsive system for agile enterprise level causality analysis[C]// Proceedings of 2020 IEEE 36th International Conference on Data Engineering. Piscataway:IEEE Press, 2020: 1701-1712.
[57]	XU Z , WU Z Y , LI Z C ,et al. High fidelity data reduction for big data security dependency analyses[C]// Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2016: 504-516.
[58]	MICHAEL N , MINK J , LIU J ,et al. On the forensic validity of approximated audit logs[C]// Proceedings of Annual Computer Security Applications Conference. New York:ACM Press, 2020: 189-202.
[59]	TANG Y T , LI D , LI Z C ,et al. NodeMerge:template based efficient data reduction for big-data causality analysis[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 1324-1337.
[60]	HASSAN W U , BATES A , MARINO D . Tactical provenance analysis for endpoint detection and response systems[C]// Proceedings of 2020 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2020: 1172-1189.
[61]	FEI P , LI Z , WANG Z ,et al. SEAL:storage-efficient causality analysis on enterprise logs with query-friendly compression[C]// Proceedings of the 30th USENIX Security Symposium. Berkeley:USENIX Association, 2021: 2987-3004.
[62]	ZHU T T , WANG J Y , RUAN L Q ,et al. General,efficient,and real-time data compaction strategy for APT forensic analysis[J]. IEEE Transactions on Information Forensics and Security, 2021,16: 3312-3325.
[63]	GAO P , SHAO F , LIU X Y ,et al. A system for efficiently hunting for cyber threats in computer systems using threat intelligence[C]// Proceedings of 2021 IEEE 37th International Conference on Data Engineering. Piscataway:IEEE Press, 2021: 2705-2708.
[64]	MILAJERDI S M , ESHETE B , GJOMEMO R ,et al. POIROT:aligning attack behavior with kernel audit records for cyber threat hunting[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2019: 1795-1812.
[65]	HASSAN W U , LI D , JEE K ,et al. This is why we can’t cache nice things:lightning-fast threat hunting using suspicion-based hierarchical storage[C]// Proceedings of Annual Computer Security Applications Conference. New York:ACM Press, 2020: 165-178.
[66]	MA S Q , ZHAI J , KWON Y ,et al. Kernel-supported cost-effective audit logging for causality tracking[C]// Proceedings of the 2018 USENIX Conference on Usenix Annual Technical Conference. Berkeley:USENIX Association, 2018: 241-254.
[67]	XIE Y L , FENG D , TAN Z P ,et al. Unifying intrusion detection and forensic analysis via provenance awareness[J]. Future Generation Computer Systems, 2016,61: 26-36.
[68]	XIE Y L , FENG D , HU Y C ,et al. Pagoda:a hybrid approach to enable efficient real-time provenance based intrusion detection in big data environments[J]. IEEE Transactions on Dependable and Secure Computing, 2020,17(6): 1283-1296.
[69]	GAO P , XIAO X S , LI Z C ,et al. A query system for efficiently investigating complex attack behaviors for enterprise security[J]. arXiv Preprint,arXiv:1810.03464, 2018.
[70]	PASQUIER T , HAN X Y , MOYER T ,et al. Runtime analysis of whole-system provenance[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 1601-1616.
[71]	GAO P , XIAO X S , LI Z C ,et al. AIQL:enabling efficient attack investigation from system monitoring data[C]// Proceedings of 2018 USENIX Annual Technical Conference. Berkeley:USENIX Association, 2018: 113-126.
[72]	GAO P , XIAO X S , LI D . SAQL:a stream-based query system for real-time abnormal system behavior detection[C]// Proceedings of the 27th USENIX Security Symposium. Berkeley:USENIX Association, 2018: 639-656.
[73]	GAO P , SHAO F , LIU X Y ,et al. Enabling efficient cyber threat hunting with cyber threat intelligence[C]// Proceedings of 2021 IEEE 37th International Conference on Data Engineering. Piscataway:IEEE Press, 2021: 193-204.
[74]	GAO P , XIAO X S , LI D ,et al. Querying streaming system monitoring data for enterprise system anomaly detection[C]// Proceedings of 2020 IEEE 36th International Conference on Data Engineering. Piscataway:IEEE Press, 2020: 1774-1777.
[75]	XIONG C L , ZHU T T , DONG W H ,et al. Conan:a practical real-time APT detection system with high accuracy and efficiency[J]. IEEE Transactions on Dependable and Secure Computing, 2022,19(1): 551-565.
[76]	DING X , LIU B X , JIANG Z W ,et al. Spear phishing emails detection based on machine learning[C]// Proceedings of 2021 IEEE 24th International Conference on Computer Supported Cooperative Work in Design. Piscataway:IEEE Press, 2021: 354-359.
[77]	DAI J , SUN X Y , LIU P . Patrol:revealing zero-day attack paths through network-wide system object dependencies[C]// European Symposium on Research in Computer Security. Berlin:Springer, 2013: 536-555.
[78]	HAN X Y , PASQUIER T , RANJAN T ,et al. FRAPpuccino:Fault-detection through runtime analysis of provenance[C]// Proceedings of the 9th USENIX Conference on Hot Topics in Cloud Computing. Berkeley:USENIX Association, 2017: 1-18.
[79]	XIE Y L , WU Y F , FENG D ,et al. P-Gaussian:provenance-based Gaussian distribution for detecting intrusion behavior variants using high efficient and real time memory databases[J]. IEEE Transactions on Dependable and Secure Computing, 2021,18(6): 2658-2674.
[80]	HAN X Y , PASQUIER T , BATES A ,et al. Unicorn:runtime provenance-based detector for advanced persistent threats[C]// Proceedings of 2020 Network and Distributed System Security Symposium. Reston:Internet Society, 2020: 1-18.
[81]	SUN X Y , DAI J , LIU P ,et al. Using Bayesian networks for probabilistic identification of zero-day attack paths[J]. IEEE Transactions on Information Forensics and Security, 2018,13(10): 2506-2521.
[82]	HAN X Y , YU X , PASQUIER T ,et al. SIGL:securing software installations through deep graph learning[C]// Proceedings of the 30th USENIX Security Symposium. Berkeley:USENIX Association, 2021: 2345-2362.
[83]	AYOADE G , AKBAR K A , SAHOO P ,et al. Evolving advanced persistent threat detection using provenance graph and metric learning[C]// Proceedings of 2020 IEEE Conference on Communications and Network Security. Piscataway:IEEE Press, 2020: 1-9.
[84]	WANG Q , HASSAN W U , LI D ,et al. You are what you do:hunting stealthy malware via data provenance analysis[C]// Proceedings of 2020 Network and Distributed System Security Symposium. Reston:Internet Society, 2020: 1-17.
[85]	SATVAT K , GJOMEMO R , VENKATAKRISHNAN V N . Extractor:extracting attack behavior from threat reports[C]// 2021 IEEE European Symposium on Security and Privacy (EuroS＆P). Piscataway:IEEE Press, 2021: 598-615.
[86]	ZHAO J , YAN Q B , LIU X D ,et al. Cyber threat intelligence modeling based on heterogeneous graph convolutional network[C]// Proceedings of the 23rd International Symposium on Research in Attacks,Intrusions and Defenses. Berkeley:USENIX Association, 2020: 241-256.
[87]	GAO P , LIU X Y , CHOI E ,et al. A system for automated open-source threat intelligence gathering and management[C]// Proceedings of the 2021 International Conference on Management of Data. New York:ACM Press, 2021: 2716-2720.
[88]	WEI R Z , CAI L J , ZHAO L X ,et al. DeepHunter:a graph neural network based approach for robust cyber threat hunting[C]// Security and Privacy in Communication Networks. Berlin:Springer, 2021: 3-24.
[89]	NOEL S , HARLEY E , TAM K H ,et al. CyGraph:graph-based analytics and visualization for cybersecurity[J]. Handbook of Statistics, 2016,35: 117-167.
[90]	SHU X K , ARAUJO F , SCHALES D L ,et al. Threat intelligence computing[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 1883-1898.
[91]	KARUNA P , HEMBERG E , O’REILLY U M , ,et al. Automating cyber threat hunting using NLP,automated query generation,and genetic perturbation[J]. arXiv Preprint,arXiv:2104.11576, 2021.
[92]	MILAJERDI S M , ESHETE B , GJOMEMO R ,et al. ProPatrol:attack investigation via extracted high-level tasks[C]// Information Systems Security. Berlin:Springer, 2018: 107-126.
[93]	ALLEN J , YANG Z , LANDEN M ,et al. Mnemosyne:an effective and efficient postmortem watering hole attack investigation system[C]// Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2020: 787-802.
[94]	NEWSOME J , SONG D . Dynamic taint analysis for automatic detection,analysis,and signature generation of exploits on commodity software[C]// Proceedings of the Network and Distributed System Security Symposium. Reston:Internet Society, 2005: 1-17.
[95]	YIN H , SONG D , EGELE M ,et al. Panorama:capturing system-wide information flow for malware detection and analysis[C]// Proceedings of the 14th ACM Conference on Computer and Communications Security. New York:ACM Press, 2007: 116-127.
[96]	JI Y , LEE S , DOWNING E ,et al. RAIN:refinable attack investigation with on-demand inter-process information flow tracking[C]// Pro ceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2017: 377-390.
[97]	KWON Y , KIM D , SUMNER W N ,et al. LDX:causality inference by lightweight dual execution[C]// Proceedings of the 21st International Conference on Architectural Support for Programming Languages and Operating Systems. New York:ACM Press, 2016: 503-515.
[98]	KWON Y , WANG F , WANG W H ,et al. MCI:modeling-based causality inference in audit logging for attack investigation[C]// Proceedings of 2018 Network and Distributed System Security Symposium. Reston:Internet Society, 2018: 1-15.
[99]	PEI K X , GU Z S , SALTAFORMAGGIO B ,et al. HERCULE:attack story reconstruction via community discovery on correlated log graph[C]// Proceedings of the 32nd Annual Conference on Computer Security Applications. New York:ACM Press, 2016: 583-595.
[100]	SHEN Y , MARICONTI E , VERVIER P A ,et al. Tiresias:predicting security events through deep learning[C]// Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM Press, 2018: 592-605.
[101]	SHEN Y , STRINGHINI G . ATTACK2VEC:leveraging temporal word embeddings to understand the evolution of cyberattacks[C]// Proceedings of the 28th USENIX Security Symposium. Berkeley:USENIX Association, 2019: 905-921.
[102]	ALSAHEEL A , NAN Y H , MA S Q ,et al. ATLAS:a sequence-based learning approach for attack investigation[C]// Proceedings of the 30th USENIX Security Symposium. Berkeley:USENIX Association, 2021: 1-18.
[103]	ZONG B , XIAO X S , LI Z C ,et al. Behavior query discovery in system-generated temporal graphs[C]// Proceedings of the VLDB Endowment.[S.l.]: VLDB Endowment, 2015: 240-251.
[104]	潘亚峰, 周天阳, 朱俊虎 ,等. 基于ATT＆CK的APT攻击语义规则构建[J]. 信息安全学报, 2021,6(3): 77-90.
	PAN Y F , ZHOU T Y , ZHU J H ,et al. Construction of APT attack se-mantic rules based on ATT ＆ CK[J]. Journal of Cyber Security, 2021,6(3): 77-90.
[105]	YANG R Q , CHEN X T , XU H T ,et al. RATScope:recording and reconstructing missing RAT semantic behaviors for forensic analysis on windows[J]. IEEE Transactions on Dependable and Secure Computing, 2022,19(3): 1621-1638.

Metrics

Recommended 0

No Suggested Reading articles found!

类型	文献	方法	缩减前与缩减后的比值
		CPR	1.27～3.56
	Xu等^[57]	CPR+PCAR	1.43～5.59
边缩减		CPR+PCAR+DOM	1.46～10.2
	FD-SD^[49]	完全依赖保留	4.46～91.5
		源依赖保留	4.54～122.5
顶点缩减	NodeMerge^[59]	基于模板	4.2～33.7
	Log^[32]	垃圾收集理念	0～77
图缩减	NoDoze^[53]	减掉普通行为	2
	Rapsheet^[60]	2个规则	1.5
图形压缩	SEAL^[61]	友好查询压缩	2.63～12.94
语义保留	GS-SS^[62]	维护全局语义压缩	4.36～13.18
		基于可疑语义压缩	7.86～26.99

方法	论文	检测内容	检测方法/模型	数据集	实时/离线
	SLEUTH^[45]	APT检测	溯源图标签+自定义策略规则	DARPA TC	实时
	Morse^[46]	APT检测（告警）	标签传播，自定义策略规则	DARPA TC	实时
基于规则	HOLMES^[48]	APT检测（多步）	Kill-chain，TTP	DARPA TC	实时
	POIROT^[64]	APT检测（告警）	图模式匹配	DARPA TC	离线
	SAQL^[72]	企业系统异常检测	基于规则查询	采集实时数据	实时
	Patrol^[77]	零日攻击路径	规则匹配	真实企业网络数据	实时
	SteamSpot^[34]	APT检测	聚类：异常分数	SteamSpot	实时
	Pagoda^[68]	检测进程	异常分数（路径异常+图异常）	17个正常和漏洞应用	实时
基于异常	SAQL^[72]	企业系统异常检测	统计异常：基于时间序列、不变值、离群值异常查询	采集实时数据	实时
	FRAPpuccino^[78]	PaaS错误检测	统计异常：时间窗口	CamFlow采集PaaS实例	实时
	P-Gaussian^[79]	检测入侵行为变体	统计异常：（基于证据的高斯分布）	17个正常和漏洞应用+DARPA APT trace	实时
	Unicorn^[80]	APT检测	聚类：图形草图聚类	DARPA TC，StreamSpot	实时
	ZePro^[81]	零日攻击路径	异常路径贝叶斯网络推理	CVE-2008-0166，CVE-2009-2692，CVE-2011-4089	实时
	Li等^[40]	APT检测	注意力图神经网络，深度自编码	LANL，streamspot	离线
基于学习	SIGL^[82]	安全软件安装	Graph LSTM深度自编码	NEC实验室数据	离线
	Ayoade等^[83]	零日攻击	在线度量学习，基于距离的学习	CamFlow采集攻击数据	实时
	ProvDetector^[84]	隐秘的恶意软件	图嵌入，局部离群因子	恶意样本（约15 000个）	实时

文献	实体类型及关系	提取方法	查询方法	数据集	实验评价
POIROT ^[64]	实体类型：进程、文	手动提取查询图	图对齐	MISP、	—
	件、套接字、管道等			STIX
	关系类型：系统调用
ThreatRaptor^[73]	实体类型：进程、文	利用spaCy自动提取IoC和	TBQL查询	DARPA TC3，	实体提取：精确率为 96%，召回率为
	件、套接字	IoC之间的关系，构建威胁		其他CVE案例	97.3%，F1值为96.64%
	关系类型：描述关系	行为图			关系提取：精确率为 96%，召回率为
					89%，F1值为92%
EXTRACTOR^[85]	实体类型：进程、文	自动提取攻击行为图	图对齐	非结构化真实	实体提取：精确率为 90%，召回率为
	件、套接字	实体提取：文本摘要		CTI 报告；	95.8%，F1值为92.8%
	关系类型：系统调用	关系提取：在依赖解析基		DARPATC（公	关系提取：精度为96%，召回率为94%，
		础上，考虑语义角色标签，对应系统审计日志		开数据集）；微软等CTI报告	F1值为95%
HINTI^[86]	实体类型：攻击者、漏	异构信息网络	图卷积网络	安全博客、黑	IoC 实体识别准确率为 98.59%，精确率
	洞、设备、平台、恶意	实体提取：Xpath提取、基		客论坛、cve	为98.72%，微观F1值为98.69%
	文件和攻击类型	于注意力的多粒度识别		数据库等
	关系类型：描述关系	关系提取：定义关系模板
SecurityKG^[87]	实体类型：威胁者、技	自动提取安全知识图	—	OSCTI报告	—
	术、工具、软件、多种类	实体提取：IoC 保护、CRF
	型的IoC	模型关系提取：依赖解析
	关系类型：文本描述

Review of threat discovery and forensic analysis based on system provenance graph

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 7

References 105

Related Articles 7

Metrics

Recommended 0

[1]	Jinyin CHEN, Haiyang XIONG, Haonan MA, Yayu ZHENG. CLB-Defense: based on contrastive learning defense for graph neural network against backdoor attack [J]. Journal on Communications, 2023, 44(4): 154-166.
[2]	Shiwen HE, Jun YUAN, Zhenyu AN, Min ZHANG, Yongming HUANG, Yaoxue ZHANG. GNN-based optimization algorithm for joint user scheduling and beamforming [J]. Journal on Communications, 2022, 43(7): 73-84.
[3]	Xiuzhang YANG, Guojun PENG, Zichuan LI, Yangqi LYU, Side LIU, Chenguang LI. Research on entity recognition and alignment of APT attack based on Bert and BiLSTM-CRF [J]. Journal on Communications, 2022, 43(6): 58-70.
[4]	Yiteng WU, Wei LIU, Hongtao YU. Label flipping adversarial attack on graph neural network [J]. Journal on Communications, 2021, 42(9): 65-74.
[5]	Chenxi LIU, Dong WANG, Huiling CHEN, Renfa LI. Study of forecasting urban private car volumes based on multi-source heterogeneous data fusion [J]. Journal on Communications, 2021, 42(3): 54-64.
[6]	Shaohu DING,Ning QI,Yiwei GUO. Evaluation of mimic defense strategy based on M-FlipIt game model [J]. Journal on Communications, 2020, 41(7): 186-194.
[7]	. Detecting APT attacks: a survey from the perspective of big data analysis [J]. Journal on Communications, 2015, 36(11): 1-14.