This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Anomaly Detection Analysis with Graph-Based Cyber Threat Hunting Scheme
Corresponding Author(s) : Didit Hari Kuncoro Raharjo
Kinetik: Game Technology, Information System, Computer Network, Computing, Electronics, and Control,
Vol. 8, No. 4, November 2023
Abstract
As advanced persistence threats become more prevalent and cyber-attacks become more severe, cyber defense analysts will be required to exert greater effort to protect their systems. A continuous defense mechanism is needed to ensure no incidents occur in the system, one of which is cyber threat hunting. To prove that cyber threat hunting is important, this research simulated a cyber-attack that has successfully entered the system but was not detected by the IDS device even though it already has relatively updated rules. Based on the simulation result, this research designed a data correlation model implemented in a graph visualization with enrichment on-demand features to help analysts conduct cyber threat hunting with graph visualization to detect cyber-attacks. The data correlation model developed in this research can overcome this gap and increase the percentage of detection that was originally undetected / 0% by IDS, to be detected by more than 45% and can even be assessed to be 100% detected based on the anomaly pattern that was successfully found.
Keywords
Download Citation
Endnote/Zotero/Mendeley (RIS)BibTeX
- J. Song, H. Takakura, and Y. Kwon, "A generalized feature extraction scheme to detect 0-day attacks via IDS alerts," in 2008 International Symposium on Applications and the Internet, 2008: IEEE, pp. 55-61. https://doi.org/10.1109/SAINT.2008.85
- M. Li, W. Huang, Y. Wang, W. Fan, and J. Li, "The study of APT attack stage model," in 2016 IEEE/ACIS 15th International Conference on Computer and Information Science (ICIS), 2016: IEEE, pp. 1-5. https://doi.org/10.1109/ICIS.2016.7550947
- V. Palacin, Practical Threat Intelligence and Data-Driven Threat Hunting: A Hands-on Guide to Threat Hunting with the ATT&CK"! Framework and Open Source Tools. Packt Publishing Limited, 2021.
- R. Bhargava. "How threat hunting enhances cybersecurity -- GCN.".
- C. Pace, "The threat intelligence handbook: A practical guide for security teams to unlocking the power of intelligence," Annapolis, CyberEdge Group, 2018.
- M. Richter, K. Schwarz, and R. Creutzburg, "Conception and Implementation of Professional Laboratory Exercises in the field of ICS/SCADA Security Part II: Red Teaming and Blue Teaming," Electronic imaging, vol. 2021, no. 3, pp. 74-1-74-13, 2021. https://doi.org/10.2352/ISSN.2470-1173.2021.3.MOBMU-074
- J. Rehberger, "Cybersecurity Attacks–Red Team Strategies," ed: Packt Publishing, 2020.
- D. H. K. Raharjo, A. Nurmala, R. D. Pambudi, and R. F. Sari, "Performance Evaluation of Intrusion Detection System Performance for Traffic Anomaly Detection Based on Active IP Reputation Rules," in 2022 3rd International Conference on Electrical Engineering and Informatics (ICon EEI), 2022: IEEE, pp. 75-79. https://doi.org/10.1109/IConEEI55709.2022.9972298
- D. H. K. Raharjo and S. Muhammad, "ANALYZING SURICATA ALERT DETECTION PERFORMANCE ISSUES BASED ON ACTIVE INDICATOR OF COMPROMISE RULES," Jurnal Teknik Informatika (Jutif), vol. 4, no. 3, pp. 601-610, 06/26 2023. https://doi.org/10.52436/1.jutif.2023.4.3.1013
- P. Gao et al., "Enabling efficient cyber threat hunting with cyber threat intelligence," in 2021 IEEE 37th International Conference on Data Engineering (ICDE), 2021: IEEE, pp. 193-204. https://doi.org/10.1109/ICDE51399.2021.00024
- F. Skopik, M. Wurzenberger, and M. Landauer, "The Seven Golden Principles of Effective Anomaly-Based Intrusion Detection," IEEE Security & Privacy, vol. 19, no. 05, pp. 36-45, 2021. https://doi.ieeecomputersociety.org/10.1109/MSEC.2021.3090444
- A. Oktadika, C. Lim, and K. Erlangga, "Hunting Cyber Threats in the Enterprise Using Network Defense Log," in 2021 9th International Conference on Information and Communication Technology (ICoICT), 2021: IEEE, pp. 528-533. https://doi.org/10.1109/ICoICT52021.2021.9527434
- R. Wei, L. Cai, A. Yu, and D. Meng, "DeepHunter: A Graph Neural Network Based Approach for Robust Cyber Threat Hunting," arXiv preprint arXiv:2104.09806, 2021. https://doi.org/10.1007/978-3-030-90019-9_1
- S. M. Milajerdi, B. Eshete, R. Gjomemo, and V. Venkatakrishnan, "Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting," in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019, pp. 1795-1812, doi: https://doi.org/10.1145/3319535.3363217.
- M. Bertovič, "Utilization of Threat Intelligence in Information Security," Computing and Information Center, Czech Technical University in Prague., 2017.
- H. Almohannadi, I. Awan, J. Al Hamar, A. Cullen, J. P. Disso, and L. Armitage, "Cyber threat intelligence from honeypot data using elasticsearch," in 2018 IEEE 32nd International Conference on Advanced Information Networking and Applications (AINA), 2018: IEEE, pp. 900-906. https://doi.org/10.1109/AINA.2018.00132
- T. Freeman et al., "Graphia: A platform for the graph-based visualisation and analysis of complex data," bioRxiv, 2020. https://doi.org/10.1371/journal.pcbi.1010310
- I. Robinson, J. Webber, and E. Eifrem, Graph databases: new opportunities for connected data. " O'Reilly Media, Inc.", 2015.
- L. Diederichsen, K.-K. R. Choo, and N.-A. Le-Khac, "A graph database-based approach to analyze network log files," 2019: Springer, pp. 53-73. https://doi.org/10.1007/978-3-030-36938-5_4
- T. Schindler, "Anomaly detection in log data using graph databases and machine learning to defend advanced persistent threats," arXiv preprint arXiv:1802.00259, 2018. https://doi.org/10.48550/arXiv.1802.00259
- S. Djanali, A. P. BASKORO, H. Studiawan, R. Anggoro, and T. Henning, "CORO: GRAPH-BASED AUTOMATIC INTRUSION DETECTION SYSTEM SIGNATURE GENERATOR FOR E-VOTING PROTECTION," Journal of Theoretical & Applied Information Technology, vol. 81, no. 3, 2015.
- P. Neise, "Graph-based event correlation for network security defense," The George Washington University, 2018.
- R. Tan, "Zeek Log Recon with Network Graph," SANS Whitepaper, 2020.
- A. Ju, Y. Guo, Z. Ye, T. Li, and J. Ma, "Hetemsd: A big data analytics framework for targeted cyber-attacks detection using heterogeneous multisource data," Security and Communication Networks, vol. 2019, 2019. https://doi.org/10.1155/2019/5483918
- A. Talaş, F. Pop, and G. Neagu, "Elastic stack in action for smart cities: Making sense of big data," in 2017 13th IEEE International Conference on Intelligent Computer Communication and Processing (ICCP), 2017: IEEE, pp. 469-476. https://doi.org/10.1109/ICCP.2017.8117049
- K. Schwarz and R. Creutzburg, "Design of Professional Laboratory Exercises for Effective State-of-the-Art OSINT Investigation Tools-Part 3: Maltego," Electronic Imaging, vol. 2021, no. 3, pp. 45-1-45-23, 2021. https://doi.org/10.2352/ISSN.2470-1173.2021.3.MOBMU-045
- P. Kral, "The incident handlers handbook," Sans Institute, 2011.
- S. Larson and D. Blackford. "Cobalt Strike: Favorite Tool from APT to Crimeware | Proofpoint US." @proofpoint.
- H. J. Hejase, H. F. Fayyad-Kazan, and I. Moukadem, "Advanced persistent threats (apt): an awareness review," Journal of Economics and Economic Education Research, vol. 21, no. 6, pp. 1-8, 2020.
References
J. Song, H. Takakura, and Y. Kwon, "A generalized feature extraction scheme to detect 0-day attacks via IDS alerts," in 2008 International Symposium on Applications and the Internet, 2008: IEEE, pp. 55-61. https://doi.org/10.1109/SAINT.2008.85
M. Li, W. Huang, Y. Wang, W. Fan, and J. Li, "The study of APT attack stage model," in 2016 IEEE/ACIS 15th International Conference on Computer and Information Science (ICIS), 2016: IEEE, pp. 1-5. https://doi.org/10.1109/ICIS.2016.7550947
V. Palacin, Practical Threat Intelligence and Data-Driven Threat Hunting: A Hands-on Guide to Threat Hunting with the ATT&CK"! Framework and Open Source Tools. Packt Publishing Limited, 2021.
R. Bhargava. "How threat hunting enhances cybersecurity -- GCN.".
C. Pace, "The threat intelligence handbook: A practical guide for security teams to unlocking the power of intelligence," Annapolis, CyberEdge Group, 2018.
M. Richter, K. Schwarz, and R. Creutzburg, "Conception and Implementation of Professional Laboratory Exercises in the field of ICS/SCADA Security Part II: Red Teaming and Blue Teaming," Electronic imaging, vol. 2021, no. 3, pp. 74-1-74-13, 2021. https://doi.org/10.2352/ISSN.2470-1173.2021.3.MOBMU-074
J. Rehberger, "Cybersecurity Attacks–Red Team Strategies," ed: Packt Publishing, 2020.
D. H. K. Raharjo, A. Nurmala, R. D. Pambudi, and R. F. Sari, "Performance Evaluation of Intrusion Detection System Performance for Traffic Anomaly Detection Based on Active IP Reputation Rules," in 2022 3rd International Conference on Electrical Engineering and Informatics (ICon EEI), 2022: IEEE, pp. 75-79. https://doi.org/10.1109/IConEEI55709.2022.9972298
D. H. K. Raharjo and S. Muhammad, "ANALYZING SURICATA ALERT DETECTION PERFORMANCE ISSUES BASED ON ACTIVE INDICATOR OF COMPROMISE RULES," Jurnal Teknik Informatika (Jutif), vol. 4, no. 3, pp. 601-610, 06/26 2023. https://doi.org/10.52436/1.jutif.2023.4.3.1013
P. Gao et al., "Enabling efficient cyber threat hunting with cyber threat intelligence," in 2021 IEEE 37th International Conference on Data Engineering (ICDE), 2021: IEEE, pp. 193-204. https://doi.org/10.1109/ICDE51399.2021.00024
F. Skopik, M. Wurzenberger, and M. Landauer, "The Seven Golden Principles of Effective Anomaly-Based Intrusion Detection," IEEE Security & Privacy, vol. 19, no. 05, pp. 36-45, 2021. https://doi.ieeecomputersociety.org/10.1109/MSEC.2021.3090444
A. Oktadika, C. Lim, and K. Erlangga, "Hunting Cyber Threats in the Enterprise Using Network Defense Log," in 2021 9th International Conference on Information and Communication Technology (ICoICT), 2021: IEEE, pp. 528-533. https://doi.org/10.1109/ICoICT52021.2021.9527434
R. Wei, L. Cai, A. Yu, and D. Meng, "DeepHunter: A Graph Neural Network Based Approach for Robust Cyber Threat Hunting," arXiv preprint arXiv:2104.09806, 2021. https://doi.org/10.1007/978-3-030-90019-9_1
S. M. Milajerdi, B. Eshete, R. Gjomemo, and V. Venkatakrishnan, "Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting," in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019, pp. 1795-1812, doi: https://doi.org/10.1145/3319535.3363217.
M. Bertovič, "Utilization of Threat Intelligence in Information Security," Computing and Information Center, Czech Technical University in Prague., 2017.
H. Almohannadi, I. Awan, J. Al Hamar, A. Cullen, J. P. Disso, and L. Armitage, "Cyber threat intelligence from honeypot data using elasticsearch," in 2018 IEEE 32nd International Conference on Advanced Information Networking and Applications (AINA), 2018: IEEE, pp. 900-906. https://doi.org/10.1109/AINA.2018.00132
T. Freeman et al., "Graphia: A platform for the graph-based visualisation and analysis of complex data," bioRxiv, 2020. https://doi.org/10.1371/journal.pcbi.1010310
I. Robinson, J. Webber, and E. Eifrem, Graph databases: new opportunities for connected data. " O'Reilly Media, Inc.", 2015.
L. Diederichsen, K.-K. R. Choo, and N.-A. Le-Khac, "A graph database-based approach to analyze network log files," 2019: Springer, pp. 53-73. https://doi.org/10.1007/978-3-030-36938-5_4
T. Schindler, "Anomaly detection in log data using graph databases and machine learning to defend advanced persistent threats," arXiv preprint arXiv:1802.00259, 2018. https://doi.org/10.48550/arXiv.1802.00259
S. Djanali, A. P. BASKORO, H. Studiawan, R. Anggoro, and T. Henning, "CORO: GRAPH-BASED AUTOMATIC INTRUSION DETECTION SYSTEM SIGNATURE GENERATOR FOR E-VOTING PROTECTION," Journal of Theoretical & Applied Information Technology, vol. 81, no. 3, 2015.
P. Neise, "Graph-based event correlation for network security defense," The George Washington University, 2018.
R. Tan, "Zeek Log Recon with Network Graph," SANS Whitepaper, 2020.
A. Ju, Y. Guo, Z. Ye, T. Li, and J. Ma, "Hetemsd: A big data analytics framework for targeted cyber-attacks detection using heterogeneous multisource data," Security and Communication Networks, vol. 2019, 2019. https://doi.org/10.1155/2019/5483918
A. Talaş, F. Pop, and G. Neagu, "Elastic stack in action for smart cities: Making sense of big data," in 2017 13th IEEE International Conference on Intelligent Computer Communication and Processing (ICCP), 2017: IEEE, pp. 469-476. https://doi.org/10.1109/ICCP.2017.8117049
K. Schwarz and R. Creutzburg, "Design of Professional Laboratory Exercises for Effective State-of-the-Art OSINT Investigation Tools-Part 3: Maltego," Electronic Imaging, vol. 2021, no. 3, pp. 45-1-45-23, 2021. https://doi.org/10.2352/ISSN.2470-1173.2021.3.MOBMU-045
P. Kral, "The incident handlers handbook," Sans Institute, 2011.
S. Larson and D. Blackford. "Cobalt Strike: Favorite Tool from APT to Crimeware | Proofpoint US." @proofpoint.
H. J. Hejase, H. F. Fayyad-Kazan, and I. Moukadem, "Advanced persistent threats (apt): an awareness review," Journal of Economics and Economic Education Research, vol. 21, no. 6, pp. 1-8, 2020.