Mingjun Ma , Tiantian Zhu , Shuang Li , Tieming Chen , Mingqi Lv , Zhengqiu Weng , Guolang Chen
{"title":"Actminer: Applying causality tracking and increment aligning for graph-based threat hunting","authors":"Mingjun Ma , Tiantian Zhu , Shuang Li , Tieming Chen , Mingqi Lv , Zhengqiu Weng , Guolang Chen","doi":"10.1016/j.knosys.2025.114169","DOIUrl":null,"url":null,"abstract":"<div><div>To defend against advanced persistent threats on the endpoint, threat hunting employs security knowledge, such as cyber threat intelligence (CTI), to continuously analyze system audit logs through retrospective scanning, querying, or pattern matching, aiming to uncover attack patterns/graphs that traditional detection methods (e.g., recognition for point of interest) fail to capture. However, existing threat hunting systems based on provenance graphs face challenges of high false negatives (FNs), high false positives (FPs), and low efficiency when confronted with diverse attack tactics and voluminous audit logs. To address these issues, we propose a system called <span>Actminer</span>, which constructs query graphs from descriptive relationships in CTI reports for precise threat hunting (i.e., graph alignment) on provenance graphs. First, we present a heuristic search strategy based on equivalent semantic transfer to reduce FNs. Second, we establish a filtering mechanism based on causal relationships of attack behaviors to mitigate FPs. Finally, we design a tree structure to incrementally update the alignment results, significantly improving hunting efficiency. Evaluation on the DARPA Engagement dataset demonstrates that compared with the SOTA POIROT, <span>Actminer</span> reduces FPs by 39.1 %, eliminates all FNs, and effectively counters adversarial attacks.</div></div>","PeriodicalId":49939,"journal":{"name":"Knowledge-Based Systems","volume":"327 ","pages":"Article 114169"},"PeriodicalIF":7.6000,"publicationDate":"2025-07-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Knowledge-Based Systems","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0950705125012109","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}
引用次数: 0
Abstract
To defend against advanced persistent threats on the endpoint, threat hunting employs security knowledge, such as cyber threat intelligence (CTI), to continuously analyze system audit logs through retrospective scanning, querying, or pattern matching, aiming to uncover attack patterns/graphs that traditional detection methods (e.g., recognition for point of interest) fail to capture. However, existing threat hunting systems based on provenance graphs face challenges of high false negatives (FNs), high false positives (FPs), and low efficiency when confronted with diverse attack tactics and voluminous audit logs. To address these issues, we propose a system called Actminer, which constructs query graphs from descriptive relationships in CTI reports for precise threat hunting (i.e., graph alignment) on provenance graphs. First, we present a heuristic search strategy based on equivalent semantic transfer to reduce FNs. Second, we establish a filtering mechanism based on causal relationships of attack behaviors to mitigate FPs. Finally, we design a tree structure to incrementally update the alignment results, significantly improving hunting efficiency. Evaluation on the DARPA Engagement dataset demonstrates that compared with the SOTA POIROT, Actminer reduces FPs by 39.1 %, eliminates all FNs, and effectively counters adversarial attacks.
期刊介绍:
Knowledge-Based Systems, an international and interdisciplinary journal in artificial intelligence, publishes original, innovative, and creative research results in the field. It focuses on knowledge-based and other artificial intelligence techniques-based systems. The journal aims to support human prediction and decision-making through data science and computation techniques, provide a balanced coverage of theory and practical study, and encourage the development and implementation of knowledge-based intelligence models, methods, systems, and software tools. Applications in business, government, education, engineering, and healthcare are emphasized.