Actminer: Applying causality tracking and increment aligning for graph-based threat hunting

IF 7.6 1区 计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE
Mingjun Ma , Tiantian Zhu , Shuang Li , Tieming Chen , Mingqi Lv , Zhengqiu Weng , Guolang Chen
{"title":"Actminer: Applying causality tracking and increment aligning for graph-based threat hunting","authors":"Mingjun Ma ,&nbsp;Tiantian Zhu ,&nbsp;Shuang Li ,&nbsp;Tieming Chen ,&nbsp;Mingqi Lv ,&nbsp;Zhengqiu Weng ,&nbsp;Guolang Chen","doi":"10.1016/j.knosys.2025.114169","DOIUrl":null,"url":null,"abstract":"<div><div>To defend against advanced persistent threats on the endpoint, threat hunting employs security knowledge, such as cyber threat intelligence (CTI), to continuously analyze system audit logs through retrospective scanning, querying, or pattern matching, aiming to uncover attack patterns/graphs that traditional detection methods (e.g., recognition for point of interest) fail to capture. However, existing threat hunting systems based on provenance graphs face challenges of high false negatives (FNs), high false positives (FPs), and low efficiency when confronted with diverse attack tactics and voluminous audit logs. To address these issues, we propose a system called <span>Actminer</span>, which constructs query graphs from descriptive relationships in CTI reports for precise threat hunting (i.e., graph alignment) on provenance graphs. First, we present a heuristic search strategy based on equivalent semantic transfer to reduce FNs. Second, we establish a filtering mechanism based on causal relationships of attack behaviors to mitigate FPs. Finally, we design a tree structure to incrementally update the alignment results, significantly improving hunting efficiency. Evaluation on the DARPA Engagement dataset demonstrates that compared with the SOTA POIROT, <span>Actminer</span> reduces FPs by 39.1 %, eliminates all FNs, and effectively counters adversarial attacks.</div></div>","PeriodicalId":49939,"journal":{"name":"Knowledge-Based Systems","volume":"327 ","pages":"Article 114169"},"PeriodicalIF":7.6000,"publicationDate":"2025-07-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Knowledge-Based Systems","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0950705125012109","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}
引用次数: 0

Abstract

To defend against advanced persistent threats on the endpoint, threat hunting employs security knowledge, such as cyber threat intelligence (CTI), to continuously analyze system audit logs through retrospective scanning, querying, or pattern matching, aiming to uncover attack patterns/graphs that traditional detection methods (e.g., recognition for point of interest) fail to capture. However, existing threat hunting systems based on provenance graphs face challenges of high false negatives (FNs), high false positives (FPs), and low efficiency when confronted with diverse attack tactics and voluminous audit logs. To address these issues, we propose a system called Actminer, which constructs query graphs from descriptive relationships in CTI reports for precise threat hunting (i.e., graph alignment) on provenance graphs. First, we present a heuristic search strategy based on equivalent semantic transfer to reduce FNs. Second, we establish a filtering mechanism based on causal relationships of attack behaviors to mitigate FPs. Finally, we design a tree structure to incrementally update the alignment results, significantly improving hunting efficiency. Evaluation on the DARPA Engagement dataset demonstrates that compared with the SOTA POIROT, Actminer reduces FPs by 39.1 %, eliminates all FNs, and effectively counters adversarial attacks.
Actminer:将因果关系跟踪和增量对齐应用于基于图的威胁搜索
为了防御终端上的高级持续性威胁,威胁搜索利用网络威胁情报(CTI)等安全知识,通过回顾性扫描、查询或模式匹配等方式,对系统审计日志进行持续分析,发现传统检测方法(如兴趣点识别)无法捕获的攻击模式/图。然而,现有的基于来源图的威胁搜索系统在面对多样化的攻击策略和海量的审计日志时,存在高假阴性(false negatives, FNs)和高假阳性(false positive, FPs)以及低效率的问题。为了解决这些问题,我们提出了一个称为Actminer的系统,该系统根据CTI报告中的描述性关系构建查询图,以便在来源图上进行精确的威胁搜索(即图对齐)。首先,我们提出了一种基于等效语义迁移的启发式搜索策略来减少FNs。其次,建立了基于攻击行为因果关系的过滤机制来缓解FPs。最后,我们设计了一种树状结构来增量更新对齐结果,显著提高了搜索效率。对DARPA交战数据集的评估表明,与SOTA POIROT相比,Actminer降低了39.1%的FPs,消除了所有的FPs,并有效地对抗了对抗性攻击。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
Knowledge-Based Systems
Knowledge-Based Systems 工程技术-计算机:人工智能
CiteScore
14.80
自引率
12.50%
发文量
1245
审稿时长
7.8 months
期刊介绍: Knowledge-Based Systems, an international and interdisciplinary journal in artificial intelligence, publishes original, innovative, and creative research results in the field. It focuses on knowledge-based and other artificial intelligence techniques-based systems. The journal aims to support human prediction and decision-making through data science and computation techniques, provide a balanced coverage of theory and practical study, and encourage the development and implementation of knowledge-based intelligence models, methods, systems, and software tools. Applications in business, government, education, engineering, and healthcare are emphasized.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信