Portal de Periódicos da CAPES

Conan: A Practical Real-Time APT Detection System With High Accuracy and Efficiency

2020; IEEE Computer Society; Volume: 19; Issue: 1 Linguagem: Inglês

10.1109/tdsc.2020.2971484

2160-9209

Chunlin Xiong, Tiantian Zhu, Wei-Hao Dong, Linqi Ruan, Runqing Yang, Yueqiang Cheng, Yan Chen, Shuai Cheng, Xutong Chen,

Anomaly Detection Techniques and Applications

Advanced Persistent Threat (APT) attacks have caused serious security threats and financial losses worldwide. Various real-time detection mechanisms that combine context information and provenance graphs have been proposed to defend against APT attacks. However, existing real-time APT detection mechanisms suffer from accuracy and efficiency issues due to inaccurate detection models and the growing size of provenance graphs. To address the accuracy issue, we propose a novel and accurate APT detection model that removes unnecessary phases and focuses on the remaining ones with improved definitions. To address the efficiency issue, we propose a state-based framework in which events are consumed as streams and each entity is represented in an FSA-like structure without storing historic data. Additionally, we reconstruct attack scenarios by storing just one in a thousand events in a database. Finally, we implement our design, called Conan , on Windows and conduct comprehensive experiments under real-world scenarios to show that Conan can accurately and efficiently detect all attacks within our evaluation. The memory usage and CPU efficiency of Conan remain constant over time (1-10 MB of memory and hundreds of times faster than data generation), making Conan a practical design for detecting both known and unknown APT attacks in real-world scenarios.