MPCA: Constructing the APTs provenance graphs through multi-perspective confidence and association

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology Pub Date : 2025-01-13 DOI:10.1016/j.infsof.2025.107670

Zhao Zhang , Senlin Luo , Yingdan Guan , Limin Pan

{"title":"MPCA: Constructing the APTs provenance graphs through multi-perspective confidence and association","authors":"Zhao Zhang , Senlin Luo , Yingdan Guan , Limin Pan","doi":"10.1016/j.infsof.2025.107670","DOIUrl":null,"url":null,"abstract":"<div><div>The forensic analysis of Advanced Persistent Threats (APTs) attacks is crucial for maintaining cybersecurity. To address the challenges posed by the high complexity and strong concealment of APT attacks, provenance graph based on inter entity dependencies are used for forensic investigation. However, under long-term persistent attacks, entities with semantically consistent behavior patterns become excessively redundant, leading to an explosion of inter entity dependencies and a decrease in forensic efficiency. In addition, the implicit relationships within and between events are not fully represented, and alarm information spreads to neighboring benign events, making it difficult to accurately reconstruct attack scenario. In this paper, we propose an APT attack attribution method MPCA that combines multi-perspective confidence and association. Firstly, by merging parallel branches with semantically consistent behavior patterns in the process connected subgraph, redundant entities and their dependencies are reduced. Secondly, event confidence is estimated to exclude benign events, the association between events and alarms is analyzed to highlight attack events. Experimental results demonstrate that MPCA achieves state-of-the-art performance. MPCA can improve the efficiency of constructing attack scenario graphs, reduce false positive and false negative rates, and demonstrate greater adaptability in attack attribution tasks.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"180 ","pages":"Article 107670"},"PeriodicalIF":3.8000,"publicationDate":"2025-01-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Software Technology","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0950584925000096","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The forensic analysis of Advanced Persistent Threats (APTs) attacks is crucial for maintaining cybersecurity. To address the challenges posed by the high complexity and strong concealment of APT attacks, provenance graph based on inter entity dependencies are used for forensic investigation. However, under long-term persistent attacks, entities with semantically consistent behavior patterns become excessively redundant, leading to an explosion of inter entity dependencies and a decrease in forensic efficiency. In addition, the implicit relationships within and between events are not fully represented, and alarm information spreads to neighboring benign events, making it difficult to accurately reconstruct attack scenario. In this paper, we propose an APT attack attribution method MPCA that combines multi-perspective confidence and association. Firstly, by merging parallel branches with semantically consistent behavior patterns in the process connected subgraph, redundant entities and their dependencies are reduced. Secondly, event confidence is estimated to exclude benign events, the association between events and alarms is analyzed to highlight attack events. Experimental results demonstrate that MPCA achieves state-of-the-art performance. MPCA can improve the efficiency of constructing attack scenario graphs, reduce false positive and false negative rates, and demonstrate greater adaptability in attack attribution tasks.

查看原文本刊更多论文

求助全文

约1分钟内获得全文求助全文

来源期刊

Information and Software Technology 工程技术-计算机：软件工程

CiteScore

9.10

自引率

7.70%

发文量

164

审稿时长

9.6 weeks

期刊介绍： Information and Software Technology is the international archival journal focusing on research and experience that contributes to the improvement of software development practices. The journal''s scope includes methods and techniques to better engineer software and manage its development. Articles submitted for review should have a clear component of software engineering or address ways to improve the engineering and management of software development. Areas covered by the journal include: • Software management, quality and metrics, • Software processes, • Software architecture, modelling, specification, design and programming • Functional and non-functional software requirements • Software testing and verification & validation • Empirical studies of all aspects of engineering and managing software development Short Communications is a new section dedicated to short papers addressing new ideas, controversial opinions, "Negative" results and much more. Read the Guide for authors for more information. The journal encourages and welcomes submissions of systematic literature studies (reviews and maps) within the scope of the journal. Information and Software Technology is the premiere outlet for systematic literature studies in software engineering.