APTHunter: Detecting Advanced Persistent Threats in Early Stages

Abstract

We propose APTHunter, a system for prompt detection of Advanced and Persistent Threats (APTs) in early stages. We provide an approach for representing the indicators of compromise that appear in the cyber threat intelligence reports and the relationships among them as provenance queries that capture the attacker's malicious behavior. We use the kernel audit log as a reliable source for system activities and develop an optimized whole system provenance graph that provides the causal relationships and information flows among system entities in a compact format. Then, we model the threat hunting as a behavior match problem by applying provenance queries to the optimized provenance graph to find any hits as indicators of an APT attack. We evaluate APTHunter on adversarial engagements from DARPA over different OS platforms, as well as real-world APT campaigns. Based on our experimental results, APTHunter promptly and reliably detects attack artifacts in early stages.