Advanced Persistent Threats (APTs) are stealthy cyberattacks that often evade detection in system-level audit logs. Provenance graphs model these logs as connected entities and events, revealing relationships that are missed by linear log representations. Existing systems apply anomaly detection to these graphs but often suffer from high false positive rates and coarse-grained alerts. Their reliance on node attributes like file paths or IPs leads to spurious correlations, reducing detection robustness and reliability. To fully understand an attack's progression and impact, security analysts need systems that can generate accurate, human-like narratives of the entire attack. To address these challenges, we introduce OCR-APT, a system for APT detection and reconstruction of human-like attack stories. OCR-APT uses Graph Neural Networks (GNNs) for subgraph anomaly detection, learning behavior patterns around nodes rather than fragile attributes such as file paths or IPs. This approach leads to a more robust anomaly detection. It then iterates over detected subgraphs using Large Language Models (LLMs) to reconstruct multi-stage attack stories. Each stage is validated before proceeding, reducing hallucinations and ensuring an interpretable final report. Our evaluations on the DARPA TC3, OpTC, and NODLINK datasets show that OCR-APT outperforms state-of-the-art systems in both detection accuracy and alert interpretability. Moreover, OCR-APT reconstructs human-like reports that comprehensively capture the attack story.
翻译:高级持续性威胁(APTs)是一种隐秘的网络攻击,通常在系统级审计日志中难以被检测。溯源图将这些日志建模为相互连接的实体与事件,能够揭示线性日志表示所遗漏的关系。现有系统虽对这些图应用异常检测,但常面临高误报率和粗粒度警报的问题。这些系统过度依赖文件路径或IP等节点属性,导致虚假关联,降低了检测的鲁棒性与可靠性。为全面理解攻击的演进过程与影响,安全分析师需要能够生成准确、类人的完整攻击叙述的系统。为应对这些挑战,我们提出了OCR-APT,一个用于APT检测与类人攻击故事重构的系统。OCR-APT利用图神经网络(GNNs)进行子图异常检测,学习节点周围的行为模式而非依赖文件路径或IP等脆弱属性。该方法实现了更鲁棒的异常检测。随后,系统基于检测到的子图,迭代使用大语言模型(LLMs)重构多阶段攻击故事。每个阶段在推进前均经过验证,从而减少幻觉生成并确保最终报告的可解释性。我们在DARPA TC3、OpTC和NODLINK数据集上的评估表明,OCR-APT在检测准确性与警报可解释性方面均优于现有先进系统。此外,OCR-APT重构的类人报告能够全面捕捉攻击故事。
相关内容
微信扫码咨询专知VIP会员