PathWatcher：用于攻击检测和调查的基于路径的行为检测方法

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-07-03 DOI:10.1016/j.cose.2025.104563

Zehui Wang, Hao Li, Yinhao Qi, Wei Qiao, Song Liu, Chen Zhang, Bo Jiang, Zhigang Lu

{"title":"PathWatcher：用于攻击检测和调查的基于路径的行为检测方法","authors":"Zehui Wang, Hao Li, Yinhao Qi, Wei Qiao, Song Liu, Chen Zhang, Bo Jiang, Zhigang Lu","doi":"10.1016/j.cose.2025.104563","DOIUrl":null,"url":null,"abstract":"<div><div>Advanced Persistent Threats (APTs) comprise complex and stealthy attack techniques. Due to the characteristics of system audit logs in capturing system-level process calls and providing granular log data, using audit logs for causal analysis of advanced threat behaviors has become a popular solution. However, existing solutions still suffer from several deficiencies: (1) semantic gaps between raw data in low-level views and high-level system behaviors, (2) fatigue alert, and (3) poor interpretability and inferability.</div><div>In this paper, we propose PathWatcher, a path-based behavior detection method, which enables attack investigation based on detection results. PathWatcher enhances low-level semantics by combining operation sequences, extracting paths as behavioral entities from the provenance graph, and learning path features. This approach reduces the semantic gap between low-level data and high-level system behaviors. PathWatcher first performs graph construction and path extraction in the graph construction module, followed by feature learning of nodes and paths in the behavioral sequence extraction module, the data generated during the process exists in the path record with a certain rule, and finally the data from the path record is used for feature extraction and path tracing in the behavior identification and attack clues module, the data from the path record is used for feature extraction and path tracing. This model exhibits strong inferability and interpretability by matching paths to operational behaviors in logs. This allows security researchers to combine path records and investigate attacks directly using high-level semantics, thereby alleviating alert fatigue. Our experimental results demonstrate that PathWatcher effectively improves the detection accuracy of malicious behaviors while enhancing semantic interpretability. The detection results are inferable, achieving accuracies of 99.76% and 99.07% on two datasets, and we provide an analysis of attack investigations.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104563"},"PeriodicalIF":5.4000,"publicationDate":"2025-07-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"PathWatcher: A path-based behavior detection method for attack detection and investigation\",\"authors\":\"Zehui Wang, Hao Li, Yinhao Qi, Wei Qiao, Song Liu, Chen Zhang, Bo Jiang, Zhigang Lu\",\"doi\":\"10.1016/j.cose.2025.104563\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Advanced Persistent Threats (APTs) comprise complex and stealthy attack techniques. Due to the characteristics of system audit logs in capturing system-level process calls and providing granular log data, using audit logs for causal analysis of advanced threat behaviors has become a popular solution. However, existing solutions still suffer from several deficiencies: (1) semantic gaps between raw data in low-level views and high-level system behaviors, (2) fatigue alert, and (3) poor interpretability and inferability.</div><div>In this paper, we propose PathWatcher, a path-based behavior detection method, which enables attack investigation based on detection results. PathWatcher enhances low-level semantics by combining operation sequences, extracting paths as behavioral entities from the provenance graph, and learning path features. This approach reduces the semantic gap between low-level data and high-level system behaviors. PathWatcher first performs graph construction and path extraction in the graph construction module, followed by feature learning of nodes and paths in the behavioral sequence extraction module, the data generated during the process exists in the path record with a certain rule, and finally the data from the path record is used for feature extraction and path tracing in the behavior identification and attack clues module, the data from the path record is used for feature extraction and path tracing. This model exhibits strong inferability and interpretability by matching paths to operational behaviors in logs. This allows security researchers to combine path records and investigate attacks directly using high-level semantics, thereby alleviating alert fatigue. Our experimental results demonstrate that PathWatcher effectively improves the detection accuracy of malicious behaviors while enhancing semantic interpretability. The detection results are inferable, achieving accuracies of 99.76% and 99.07% on two datasets, and we provide an analysis of attack investigations.</div></div>\",\"PeriodicalId\":51004,\"journal\":{\"name\":\"Computers & Security\",\"volume\":\"157 \",\"pages\":\"Article 104563\"},\"PeriodicalIF\":5.4000,\"publicationDate\":\"2025-07-03\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computers & Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0167404825002524\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825002524","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

高级持续性威胁（apt）包括复杂的隐身攻击技术。由于系统审计日志具有捕获系统级进程调用和提供细粒度日志数据的特点，利用审计日志对高级威胁行为进行原因分析已成为一种流行的解决方案。然而，现有的解决方案仍然存在以下不足：(1)低级视图中的原始数据与高级系统行为之间的语义差距；(2)疲劳警报；(3)可解释性和可推动性差。在本文中，我们提出了PathWatcher，一种基于路径的行为检测方法，可以根据检测结果进行攻击调查。PathWatcher通过组合操作序列、从来源图中提取路径作为行为实体以及学习路径特征来增强底层语义。这种方法减少了低级数据和高级系统行为之间的语义差距。PathWatcher首先在图构建模块中进行图构建和路径提取，然后在行为序列提取模块中对节点和路径进行特征学习，过程中产生的数据以一定的规律存在于路径记录中，最后将路径记录中的数据用于行为识别和攻击线索模块的特征提取和路径跟踪。路径记录中的数据用于特征提取和路径跟踪。该模型通过将路径与日志中的操作行为相匹配，具有较强的可推断性和可解释性。这允许安全研究人员结合路径记录并使用高级语义直接调查攻击，从而减轻警报疲劳。实验结果表明，PathWatcher在提高语义可解释性的同时，有效地提高了恶意行为的检测精度。检测结果是可推断的，在两个数据集上达到99.76%和99.07%的准确率，我们提供了攻击调查的分析。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

PathWatcher: A path-based behavior detection method for attack detection and investigation

Advanced Persistent Threats (APTs) comprise complex and stealthy attack techniques. Due to the characteristics of system audit logs in capturing system-level process calls and providing granular log data, using audit logs for causal analysis of advanced threat behaviors has become a popular solution. However, existing solutions still suffer from several deficiencies: (1) semantic gaps between raw data in low-level views and high-level system behaviors, (2) fatigue alert, and (3) poor interpretability and inferability.

In this paper, we propose PathWatcher, a path-based behavior detection method, which enables attack investigation based on detection results. PathWatcher enhances low-level semantics by combining operation sequences, extracting paths as behavioral entities from the provenance graph, and learning path features. This approach reduces the semantic gap between low-level data and high-level system behaviors. PathWatcher first performs graph construction and path extraction in the graph construction module, followed by feature learning of nodes and paths in the behavioral sequence extraction module, the data generated during the process exists in the path record with a certain rule, and finally the data from the path record is used for feature extraction and path tracing in the behavior identification and attack clues module, the data from the path record is used for feature extraction and path tracing. This model exhibits strong inferability and interpretability by matching paths to operational behaviors in logs. This allows security researchers to combine path records and investigate attacks directly using high-level semantics, thereby alleviating alert fatigue. Our experimental results demonstrate that PathWatcher effectively improves the detection accuracy of malicious behaviors while enhancing semantic interpretability. The detection results are inferable, achieving accuracies of 99.76% and 99.07% on two datasets, and we provide an analysis of attack investigations.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.