—0500以后任务都要严防死守啦!!
开始读论文!!!
一、POIROT:使用内核监听记录对齐攻击行为,实现网络威胁捕捉
(一)摘要:
1、原版
Cyber threat intelligence (CTI) is being used to search for indicators
of attacks that might have compromised an enterprise network for
a long time without being discovered. To have a more effective
analysis, CTI open standards have incorporated descriptive relationships showing how the indicators or observables are related
to each other. However, these relationships are either completely
overlooked in information gathering or not used for threat hunting.
In this paper, we propose a system, called Poirot, which uses these
correlations to uncover the steps of a successful attack campaign.
We use kernel audits as a reliable source that covers all causal relations and information flows among system entities and model
threat hunting as an inexact graph pattern matching problem. Our
technical approach is based on a novel similarity metric which assesses an alignment between a query graph constructed out of CTI
correlations and a provenance graph constructed out of kernel audit
log records. We evaluate Poirot on publicly released real-world
incident reports as well as reports of an adversarial engagement designed by DARPA, including ten distinct attack campaigns against
different OS platforms such as Linux, FreeBSD, and Windows. Our
evaluation results show that Poirot is capable of searching inside
graphs containing millions of nodes and pinpoint the attacks in a
few minutes, and the results serve to illustrate that CTI correlations
could be used as robust and reliable artifacts for threat hunting
2、简略翻译
**背景:**目前都在用CTI搜索潜藏在企业网络里很久没有被发现的攻击指标。为得到更有效的分析,CTI开元标准综合了描述关系:解释指标和观察迹象之间的关系。
问题:
这些联系要不在信息聚集中被完全忽视,要不就是没有被用来做危险捕捉。
这篇论文中,我们提出了一个叫做POIROT的系统,这个系统使用这些联系揭示一个成功的攻击的步骤。
方法:
使用kernel audit作为可信数据源,这个信息源覆盖了所有因果关系和系统实体的信息流;使用威胁捕捉模型作为对应问题的不精确图表示。
使用相似性矩阵比较由CTI联系构建的query图和由kernel audit构建的溯源图。
实验数据集:
现实事件报告+DARPA对抗数据
最低0.47元/天 解锁文章
9万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
