Complementary Approaches to Instructable Agents for Advanced Persistent Threats Detection

Huang Juan; An Zhemin; Meckl Steven; Tecuci Gheorghe; Marcu Dorin

首页> 外文期刊>Studies in Informatics and Control >Complementary Approaches to Instructable Agents for Advanced Persistent Threats Detection

【24h】

Complementary Approaches to Instructable Agents for Advanced Persistent Threats Detection

机译：用于高级持续威胁检测的指示剂的互补方法

获取原文

获取原文并翻译 | 示例

掌桥外文数据库（机构版） >>

开具论文收录证明 >>

文献代查 >>

页面导航

摘要
著录项
相似文献
相关主题

摘要

Large CSOCs (cybersecurity operation centers) must analyze tens of thousands of security incidents per day. Not only that there are not enough cybersecurity analysts available but the average cost of a cybersecurity analyst keeps going up. This paper presents a novel approach to the detection of APTs (advanced persistent threats), where an expert cybersecurity analyst directly teaches (rather than programs) a cognitive agent how to investigate cybersecurity alerts, as the analyst would teach a student, through explained examples of investigations. It then presents two complementary instantiations of this approach, as implemented in ADONIS (Automating the ATT&CKTM-based Detection Of Novel Network Intrusions System) and CAAPT (Cognitive Agent for APT detection). ADONIS detects adversary's behavior in terms of MITRE's ATT&CK (Adversarial Tactics, Techniques & Common Knowledge), independent of specific malware and tools. It can therefore detect novel intrusions, but is expected to be less efficient because of the multitude of tactics and techniques that can be employed. CAAPT only detects known malware based on combinations of weak IOCs (indicators of compromise) and, as demonstrated by the experimental results, is efficient. Therefore, once a new malware is detected with ADONIS, its IOCs can be identified and CAAPT can be trained to rapidly detect it. This instructable agents approach promises to significantly reduce the cost of operating the CSOCs and improve their detection performance by automating much of the analysts' investigative activity. It increases the probability of detecting intrusion activity and reduces the false positive detections presented to the analysts who can spend their time on more complex tasks and on teaching the agents.

机译：大型CSOC（网络安全运营中心）必须每天分析成千上万的安全事件。不仅有足够的网络安全分析师可用，但网络安全分析师的平均成本一直在上升。本文提出了一种新颖的检测APTS（高级持续威胁）的方法，其中专家网络安全分析师直接教授（而不是计划）认知代理如何调查网络安全警报，因为分析师将学生教学，通过解释的示例调查。然后，它呈现了这种方法的两个互补实例，如在Adonis中实施的（自动化基于ATT和CKTM的新型网络入侵系统的检测）和CAAPT（用于APT检测的认知剂）。阿多尼斯检测仲裁ATT＆CK（对抗策略，技术和共同知识）的对手的行为，独立于特定恶意软件和工具。因此，它可以检测新颖的入侵，但预计由于可以采用的众多策略和技术，预计会减少效率。 CAAPT仅根据实验结果所证明，基于弱IOC的组合检测已知的恶意软件，并且是有效的。因此，一旦使用ADONIS检测到新的恶意软件，可以识别其IOC，并且可以训练CAAPT以快速检测到它。这种可指导的代理方法有望显着降低经营CSOC的成本，并通过自动化大部分分析师的调查活动来改善其检测性能。它增加了检测入侵活动的概率，并减少了可以在更复杂的任务上和教授代理人的分析师提出的假阳性探测。

著录项

来源
《Studies in Informatics and Control》 |2020年第3期|269-282|共14页
作者
Huang Juan; An Zhemin; Meckl Steven; Tecuci Gheorghe; Marcu Dorin;
展开▼
作者单位

George Mason Univ Learning Agents Ctr Fairfax VA 22030 USA|George Mason Univ Dept Comp Sci Fairfax VA 22030 USA;

George Mason Univ Learning Agents Ctr Fairfax VA 22030 USA|George Mason Univ Dept Comp Sci Fairfax VA 22030 USA;

George Mason Univ Learning Agents Ctr Fairfax VA 22030 USA;

George Mason Univ Learning Agents Ctr Fairfax VA 22030 USA|George Mason Univ Dept Comp Sci Fairfax VA 22030 USA;

George Mason Univ Learning Agents Ctr Fairfax VA 22030 USA;

展开▼
收录信息
原文格式 PDF
正文语种 eng
中图分类
关键词
Cybersecurity; Intrusion detection; Instructable agent; Evidence-based reasoning; Artificial intelligence;

机译：网络安全;入侵检测;指导代理;基于证据的推理;人工智能;

相似文献

外文文献
中文文献
专利

1. A baseline for unsupervised advanced persistent threat detection in system-level provenance [J] . Ghita Berrada, James Cheney, Sidahmed Benabderrahmane, Future generation computer systems . 2020,第Jula期

机译：系统级来源中无监督的高级持续性威胁检测的基准
2. Modeling and detection of the multi-stages of Advanced Persistent Threats attacks based on semi-supervised learning and complex networks characteristics [J] . AaronZimba, Hongsong Chen, Zhaoshun Wang, Future generation computer systems . 2020,第May期

机译：基于半监督学习和复杂网络特征的高级持续威胁攻击的多阶段建模和检测
3. Evidence-Based Detection of Advanced Persistent Threats [J] . Tecuci Gheorghe, Marcu Dorin, Meckl Steven, Computing in science & engineering . 2018,第6期

机译：基于证据的高级持续性威胁检测
4. Two Complementary Network Modeling and Simulation Approaches to Aid in Understanding Advanced Cyber Threats [C] . Stephen Lee-Urban, Elizabeth Whitaker, Mike Riley, International Conference on Applied Human Factors and Ergonomics . 2016

机译：两个互补网络建模和模拟方法，以帮助了解高级网络威胁
5. Examining Cyber Kill Chains as a Detection and Mitigation Method for Advanced Persistent Threats [D] . Saunders, DaRon D. 2020

机译：检查网络杀戮链作为高级持续威胁的检测和缓解方法
6. AULD: Large Scale Suspicious DNS Activities Detection via Unsupervised Learning in Advanced Persistent Threats [O] . Guanghua Yan, Qiang Li, Dong Guo, 2019

机译：AULD：通过高级持续威胁中的无监督学习进行大规模可疑DNS活动检测
7. Complementary Approaches to Instructable Agents for Advanced Persistent Threats Detection [O] . Juan HUANG, Zhemin AN, Steven MECKL, 2020

机译：用于高级持续威胁检测的指示剂的互补方法

Complementary Approaches to Instructable Agents for Advanced Persistent Threats Detection

摘要

著录项

相似文献

相关主题

期刊订阅