LinTracer: An efficient tracking system for cyberattack chains fusing entity and event semantics

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-03-11 DOI:10.1016/j.cose.2025.104413

Tiantian Zhu , Wenya He , Tieming Chen , Jiabo Zhang , Mingqi Lv , Hongmei Li , Aohan Zheng , Jie Zheng , Mingjun Ma , Xiangyang Zheng , Zhengqiu Weng , Shuying Wu

{"title":"LinTracer: An efficient tracking system for cyberattack chains fusing entity and event semantics","authors":"Tiantian Zhu , Wenya He , Tieming Chen , Jiabo Zhang , Mingqi Lv , Hongmei Li , Aohan Zheng , Jie Zheng , Mingjun Ma , Xiangyang Zheng , Zhengqiu Weng , Shuying Wu","doi":"10.1016/j.cose.2025.104413","DOIUrl":null,"url":null,"abstract":"<div><div>With the rapid development of information technology, advanced persistent threat (APT) attacks are becoming increasingly prevalent. This form of attack is known for its persistence, diversity, and stealth, and it results in serious security threats and economic losses for various organizations and institutions. In the face of this threat, tracing the attack chain (i.e., attack investigation) is critical to understanding the attacker’s behavior, identifying attack methods and patterns, and taking appropriate defensive measures. However, the current APT attack investigation techniques suffer from insufficient audit log refinement, attack entrance location difficulties, and attack path tracking accuracy challenges. In this paper, we propose LinTracer, which is an efficient attack investigation system based on the ATT&CK attack model for Linux systems that fuses entity and event semantics for cyber-attack chains. First, an auditing mechanism is used to stably collect the kernel data of the target operating system, and data compression techniques are used to refine the log data and reduce the overhead imposed by the attack investigation system. Second, a backward causal analysis is performed from the alarm point to construct a suspicious provenance graph. LinTracer extracts the features used to distinguish between attack events and benign events, calculates the feature scores of the events, and then uses the backward propagation algorithm to propagate the dependency scores backward from the alarm point to identify the attack entry points. Finally, entity semantic labels are designed based on the ATT&CK framework to perform forward label propagation on the attack entry points, ultimately enabling an effective attack investigation. The experimental results derived from laboratory tests and DARPA Engagement (approximately 64 million auditing events obtained from real systems) show that LinTracer has good real-time performance and can accurately identify attack chains.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104413"},"PeriodicalIF":4.8000,"publicationDate":"2025-03-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825001026","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

With the rapid development of information technology, advanced persistent threat (APT) attacks are becoming increasingly prevalent. This form of attack is known for its persistence, diversity, and stealth, and it results in serious security threats and economic losses for various organizations and institutions. In the face of this threat, tracing the attack chain (i.e., attack investigation) is critical to understanding the attacker’s behavior, identifying attack methods and patterns, and taking appropriate defensive measures. However, the current APT attack investigation techniques suffer from insufficient audit log refinement, attack entrance location difficulties, and attack path tracking accuracy challenges. In this paper, we propose LinTracer, which is an efficient attack investigation system based on the ATT&CK attack model for Linux systems that fuses entity and event semantics for cyber-attack chains. First, an auditing mechanism is used to stably collect the kernel data of the target operating system, and data compression techniques are used to refine the log data and reduce the overhead imposed by the attack investigation system. Second, a backward causal analysis is performed from the alarm point to construct a suspicious provenance graph. LinTracer extracts the features used to distinguish between attack events and benign events, calculates the feature scores of the events, and then uses the backward propagation algorithm to propagate the dependency scores backward from the alarm point to identify the attack entry points. Finally, entity semantic labels are designed based on the ATT&CK framework to perform forward label propagation on the attack entry points, ultimately enabling an effective attack investigation. The experimental results derived from laboratory tests and DARPA Engagement (approximately 64 million auditing events obtained from real systems) show that LinTracer has good real-time performance and can accurately identify attack chains.

查看原文本刊更多论文

LinTracer：融合实体和事件语义的高效网络攻击链跟踪系统

随着信息技术的飞速发展，高级持续性威胁（APT）攻击日益猖獗。这种形式的攻击以其持久性、多样性和隐蔽性而闻名，它会给各种组织和机构带来严重的安全威胁和经济损失。面对这种威胁，跟踪攻击链（即攻击调查）对于了解攻击者的行为、识别攻击方法和模式以及采取适当的防御措施至关重要。然而，目前的APT攻击调查技术存在审计日志细化不足、攻击入口定位困难、攻击路径跟踪准确性等问题。本文提出了LinTracer，它是一种基于Linux系统att&ck攻击模型的高效攻击调查系统，融合了网络攻击链的实体和事件语义。首先，利用审计机制稳定地收集目标操作系统的内核数据，并利用数据压缩技术对日志数据进行细化，减少攻击调查系统带来的开销。其次，从报警点开始进行反向因果分析，构建可疑来源图；LinTracer提取用于区分攻击事件和良性事件的特征，计算事件的特征得分，然后使用反向传播算法从告警点向后传播依赖分数，以识别攻击入口点。最后，基于ATT&；CK框架设计实体语义标签，在攻击入口点进行前向标签传播，最终实现有效的攻击调查。来自实验室测试和DARPA参与的实验结果（从真实系统中获得的大约6400万个审计事件）表明，LinTracer具有良好的实时性，可以准确识别攻击链。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.