Commander: A robust cross-machine multi-phase Advanced Persistent Threat detector via provenance analytics

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2025-04-29 DOI:10.1016/j.jisa.2025.104057

Qi Liu, Kaibin Bao, Veit Hagenmeyer

{"title":"Commander: A robust cross-machine multi-phase Advanced Persistent Threat detector via provenance analytics","authors":"Qi Liu, Kaibin Bao, Veit Hagenmeyer","doi":"10.1016/j.jisa.2025.104057","DOIUrl":null,"url":null,"abstract":"<div><div>Intrusion detection systems (IDS) have traditionally focused on identifying malicious behaviors caused by malware undertaking a series of suspicious activities within a short time. Facing Advanced Persistent Threat (APT) actors employing the so-called low-and-slow strategy, defenders are often blindsided by the poor performance of these IDS. Provenance-based IDS (PIDS) emerged as a promising solution for reducing false alerts, detecting true attacks, and facilitating attack investigation, by causally linking and contextualizing indicative system activities in provenance graphs. However, most existing PIDS can detect neither multi-phase nor cross-machine APT attacks, enabled by persistence and lateral movement techniques, respectively. In the present work, we propose a new PIDS called <span>Commander</span>, which is, to our knowledge, the first system capable of detecting cross-machine multi-phase APT attacks. Further, <span>Commander</span> targets several evasion attacks that can bypass existing PIDS, making it more robust. In addition, <span>Commander</span> can perform whole network tracing for cross-machine multi-phase APT attacks across an industrial-sector organization, for which we additionally develop parsers for system logs of popular industrial controllers. We also develop detection rules with a reference to MITRE’s knowledge base for industrial control systems. Our evaluations show that <span>Commander</span> accurately detects attacks, outperforms existing detection systems, and delivers succinct and insightful attack graphs.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"91 ","pages":"Article 104057"},"PeriodicalIF":3.8000,"publicationDate":"2025-04-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625000948","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Intrusion detection systems (IDS) have traditionally focused on identifying malicious behaviors caused by malware undertaking a series of suspicious activities within a short time. Facing Advanced Persistent Threat (APT) actors employing the so-called low-and-slow strategy, defenders are often blindsided by the poor performance of these IDS. Provenance-based IDS (PIDS) emerged as a promising solution for reducing false alerts, detecting true attacks, and facilitating attack investigation, by causally linking and contextualizing indicative system activities in provenance graphs. However, most existing PIDS can detect neither multi-phase nor cross-machine APT attacks, enabled by persistence and lateral movement techniques, respectively. In the present work, we propose a new PIDS called Commander, which is, to our knowledge, the first system capable of detecting cross-machine multi-phase APT attacks. Further, Commander targets several evasion attacks that can bypass existing PIDS, making it more robust. In addition, Commander can perform whole network tracing for cross-machine multi-phase APT attacks across an industrial-sector organization, for which we additionally develop parsers for system logs of popular industrial controllers. We also develop detection rules with a reference to MITRE’s knowledge base for industrial control systems. Our evaluations show that Commander accurately detects attacks, outperforms existing detection systems, and delivers succinct and insightful attack graphs.

查看原文本刊更多论文

指挥官：一个强大的跨机器多阶段高级持续威胁探测器，通过来源分析

传统上，入侵检测系统（IDS）关注的是识别恶意软件在短时间内进行的一系列可疑活动所导致的恶意行为。面对采用所谓“低而慢”策略的高级持续性威胁（APT）攻击者，防御者通常会对这些IDS的糟糕性能感到措手不及。基于溯源的IDS （pid）是一种很有前途的解决方案，通过在溯源图中因果链接和上下文化指示性系统活动，可以减少错误警报、检测真正的攻击，并促进攻击调查。然而，大多数现有的pid既不能检测多阶段APT攻击，也不能检测跨机器APT攻击，它们分别通过持久性和横向移动技术实现。在目前的工作中，我们提出了一种名为Commander的新型pid，据我们所知，这是第一个能够检测跨机器多阶段APT攻击的系统。此外，Commander针对几种可以绕过现有pid的逃避攻击，使其更加健壮。此外，Commander还可以对工业部门组织的跨机器多阶段APT攻击进行全网跟踪，为此我们还开发了针对流行工业控制器系统日志的解析器。我们还根据MITRE的工业控制系统知识库开发检测规则。我们的评估表明，指挥官准确地检测攻击，优于现有的检测系统，并提供简洁而深刻的攻击图。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.