Annual Computer Security Applications Conference (ACSAC) 2016

Full Program »

HERCULE: Attack Story Reconstruction via Community Discovery on Correlated Log Graph

Advanced cyber attacks consist of multiple stages aimed at being stealthy and elusive. Such attack patterns leave their footprints spatio-temporally dispersed across many different logs in victim machines. However, existing log-mining intrusion analysis systems typically target only a single type of log to discover evidence of an attack and therefore fail to exploit fundamental inter-log connections. The output of such single-log analysis can hardly reveal the complete attack story for complex, multi-stage attacks. Additionally, some existing approaches require heavyweight system instrumentation, which makes them impractical to deploy in real production environments. To address these problems, we present HERCULE, an automated multi-stage log-based intrusion analysis system. Inspired by graph analytics research in social network analysis, we model multi-stage intrusion analysis as a community discovery problem. HERCULE builds multi-dimensional weighted graphs by correlating log entries across multiple lightweight logs that are readily available on commodity systems. From these, HERCULE discovers any ``attack communities'' embedded within the graphs. Our evaluation with 15 well known APT attack families demonstrates that HERCULE can reconstruct attack behaviors from a spectrum of cyber attacks that involve multiple stages with high accuracy and low false positive rates.

Author(s):

Kexin Pei    
Columbia University
United States

Zhongshu Gu    
IBM T.J. Watson Research Center
United States

Brendan Saltaformaggio    
Purdue University
United States

Shiqing Ma    
Purdue University
United States

Fei Wang    
Purdue University
United States

Zhiwei Zhang    
Purdue University
United States

Luo Si    
Purdue University
United States

Xiangyu Zhang    
Purdue University
United States

Dongyan Xu    
Purdue University
United States

 

Powered by OpenConf®
Copyright©2002-2016 Zakon Group LLC