Detection and Analysis of Long-Term Threats using Large Dynamic Uncertain Graph Models
Date
2023-04-27
Authors
Quinan, Paulo Gustavo
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
In the past decade, new types of long-term threats, such as the advanced persistent threat (APT), have emerged. Their complexity brings many challenges for detection, prevention and posterior forensic analysis of intrusions. In contrast, the intrusion detection systems (IDSs) employed in these tasks work independently of one another, and integrating their alerts with security information and event management systems is mostly an ad hoc process. Forensic analysis is also hampered and is made exponentially more complex in this scenario.
To address these challenges, this dissertation proposes a new knowledge graph model, called the AEN, that leverages data from both the traditional security ecosystem and beyond the organization perimeter to capture the activities and relationships of network agents as well as their inherent dynamicity and uncertainty, and through that, increase situational awareness of the threat environment and allow detecting, responding and investigating sophisticated and stealth attacks. In practice, the AEN serves as a basis upon which different detection mechanisms, threat analyses and forensic investigations of both novel and known attack patterns, can be performed.
To validate those capabilities, three unsupervised intrusion detection mechanisms are proposed as follows. A signature-based scheme that employs an isomorphic subgraph matching algorithm to search for graphical attack patterns in the graph. An anomaly detection mechanism that involves calculating anomaly scores based on the bits of meta-rarity metric for statistical features and underlying distributions extracted from the graph. And a belief propagation mechanism that leverages the alerts from different IDSs that have been inputted into the graph as indicators of compromise with the goal of obtaining better detection performance in comparison to the IDSs by themselves, and works by deriving graphs akin to Markov random field from the main AEN graph and performing a probabilistic inference on the derived graphs. Also part of this detection mechanism is a "human-in-the-loop" online parameter adaptation mechanism based on the stochastic gradient descent algorithm, which was conceived with the aim of reducing the initial burden of selecting the system's parameters and allowing for frequent adaptation of parameters in dynamic environments.
The three detection mechanisms were evaluated individually and in combination using two different datasets, namely the ISOT-CID Phase 1 dataset and the CIC-IDS2017 dataset. The results obtained were promising and demonstrated the effectiveness of all three mechanisms according to their expected characteristics. When combined, the three mechanism obtained an average reduction of over 80% in the number of errors when compared to traditional IDSs such as Snort and Kitsune.
Description
Keywords
Network intrusion detection, Intrusion detection system, Belief propagation, Bayesian network, Uncertain graph, Dynamic graph, Graph database, Subgraph matching, Attack fingerprint, Anomaly detection, Unsupervised machine learning, Network security