TY - GEN
T1 - HERCULE
T2 - 32nd Annual Computer Security Applications Conference, ACSAC 2016
AU - Pei, Kexin
AU - Gu, Zhongshu
AU - Saltaformaggio, Brendan
AU - Ma, Shiqing
AU - Wang, Fei
AU - Zhang, Zhiwei
AU - Si, Luo
AU - Zhang, Xiangyu
AU - Xu, Dongyan
PY - 2016/12/5
Y1 - 2016/12/5
N2 - Advanced cyber attacks consist of multiple stages aimed at being stealthy and elusive. Such attack patterns leave their footprints spatio-temporally dispersed across many different logs in victim machines. However, existing log-mining intrusion analysis systems typically target only a single type of log to discover evidence of an attack and therefore fail to exploit fundamental inter-log connections. The output of such single-log analysis can hardly reveal the complete attack story for complex, multi-stage attacks. Additionally, some existing approaches require heavyweight system instrumentation, which makes them impractical to deploy in real production environments. To address these problems, we present HERCULE, an automated multi-stage log-based intrusion analysis system. Inspired by graph analytics research in social network analysis, we model multi-stage intrusion analysis as a community discovery problem. HERCULE builds multi-dimensional weighted graphs by correlating log entries across multiple lightweight logs that are readily available on commodity systems. From these, HERCULE discovers any "attack communities" embedded within the graphs. Our evaluation with 15 well known APT attack families demonstrates that HERCULE can reconstruct attack behaviors from a spectrum of cyber attacks that involve multiple stages with high accuracy and low false positive rates.
AB - Advanced cyber attacks consist of multiple stages aimed at being stealthy and elusive. Such attack patterns leave their footprints spatio-temporally dispersed across many different logs in victim machines. However, existing log-mining intrusion analysis systems typically target only a single type of log to discover evidence of an attack and therefore fail to exploit fundamental inter-log connections. The output of such single-log analysis can hardly reveal the complete attack story for complex, multi-stage attacks. Additionally, some existing approaches require heavyweight system instrumentation, which makes them impractical to deploy in real production environments. To address these problems, we present HERCULE, an automated multi-stage log-based intrusion analysis system. Inspired by graph analytics research in social network analysis, we model multi-stage intrusion analysis as a community discovery problem. HERCULE builds multi-dimensional weighted graphs by correlating log entries across multiple lightweight logs that are readily available on commodity systems. From these, HERCULE discovers any "attack communities" embedded within the graphs. Our evaluation with 15 well known APT attack families demonstrates that HERCULE can reconstruct attack behaviors from a spectrum of cyber attacks that involve multiple stages with high accuracy and low false positive rates.
UR - http://www.scopus.com/inward/record.url?scp=85007566147&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85007566147&partnerID=8YFLogxK
U2 - 10.1145/2991079.2991122
DO - 10.1145/2991079.2991122
M3 - Conference contribution
AN - SCOPUS:85007566147
T3 - ACM International Conference Proceeding Series
SP - 583
EP - 595
BT - Proceedings - 32nd Annual Computer Security Applications Conference, ACSAC 2016
PB - Association for Computing Machinery
Y2 - 5 December 2016 through 9 December 2016
ER -