Research On Threat Hunting Methods Based On Threat Intelligence And Lineage Behavior Grap

With the evolution of computer-related technologies,new vulnerabilities,and threats emerge constantly.Relying solely on traditional passive defense measures make it increasingly difficult to ensure system security.Therefore,security personnel and researchers have shifted their defense thinking from passive patching of individual vulnerabilities to actively search for malicious behavior within the system.The Provenance Graph,constructed based on audit logs and has strong abstract expression capabilities for system behavior,has become a research hotspot in active threat detection.The core issue is how to effectively detect potential threats in large-scale Provenance Graphs.In recent years,with the gradual improvement of open-source threat intelligence automatic extraction methods,threat hunting methods have been used to search for threats in Provenance Graphs driven by threat intelligence,providing security personnel with interpretable attack scenarios with almost no need for expert knowledge,and have become an effective solution for the problem of system threat detection.However,existing threat hunting methods rely too much on Indicators of Compromise(Io C)for threat search and not fully consider the impact of attack evasion on the effectiveness of Io C.At the same time,existing methods rarely consider the application scenarios of continuous hunting,neglecting the high costs caused by continuous hunting.Therefore,this paper proposes corresponding threat hunting methods for the problems of attack evasion detection and continuous hunting,which are described as follows:(1)Robust Threat Hunting Method Based on Dual Graph Similarity Learning(RTH-DGSL).RTH-DGSL aims to improve the accuracy of threat hunting in the context of attack evasion detection.To address the issue of IOC becoming ineffective due to attack evasion detection,RTH-DGSL uses a composite node matching strategy to prevent critical attack nodes from being lost and introduces a leaf node degree priority matching strategy to reduce the number of redundant candidate subgraphs.To address the issue of inconsistent node attributes due to attack evasion detection,a dual graph similarity learning model is proposed in this paper,and RTH-DGSL uses a Provenance Graph Matching Network(PGMN)to learn both node attribute similarity and graph topology similarity to enhance the robustness of the model.Based on experiments on a real-world attack dataset,the results show that RTH-DGSL has a significant advantage in detection accuracy compared to existing methods in the context of attack evasion detection.(2)Dynamic Threat Hunting Method Based on SBERT Attribute Embedding(DTH-SAE).DTH-SAE aims to reduce the cost of continuous hunting while ensuring detection effectiveness.To address the issue of node attributes being out-of-vocabulary in near real-time continuous hunting,DTH-SAE introduces a node attribute encoder based on the SBERT(Sentence Bidirectional Encoder Representations from Transformers)pre-trained model on top of PGMN to directly encode node attributes,avoiding repeated traversal of the provenance graph and effectively improving the efficiency of threat hunting.To address the high cost of maintaining historical information during continuous hunting,DTH-SAE introduces the concept of suspicious subgraphs and uses a method for generating and updating suspicious subgraphs to maintain a provenance subgraph involving attack-related nodes,reducing the space overhead required for threat hunting without losing historical provenance information.Experimental results show that DTH-SAE can ensure acceptable space overhead in multi-round threat hunting processes without compromising detection effectiveness,reducing over 94.1% of event streams.