计算机科学
审计
背景(考古学)
分拆(数论)
还原(数学)
信息丢失
数据挖掘
图形
信息流
数据科学
理论计算机科学
人工智能
古生物学
几何学
数学
管理
组合数学
经济
生物
语言学
哲学
作者
Jiawei Li,Ru Zhang,Jianyi Liu
出处
期刊:Electronics
[MDPI AG]
日期:2023-12-25
卷期号:13 (1): 100-100
标识
DOI:10.3390/electronics13010100
摘要
Attack investigation is a crucial technique in proactively defending against sophisticated attacks. Its purpose is to identify attack entry points and previously unknown attack traces through comprehensive analysis of audit data. However, a major challenge arises from the vast and redundant nature of audit logs, making attack investigation difficult and prohibitively expensive. To address this challenge, various technologies have been proposed to reduce audit data, facilitating efficient analysis. However, most of these techniques rely on defined templates without considering the rich context information of events. Moreover, these methods fail to remove false dependencies caused by the coarse-grained nature of logs. To address these limitations, this paper proposes a context-aware provenance graph reduction and partition approach for facilitating attack investigation named ProvGRP. Specifically, three features are proposed to determine whether system events are the same behavior from multiple dimensions. Based on the insight that information paths belonging to the same high-level behavior share similar information flow patterns, ProvGRP generates information paths containing context, and identifies and merges paths that share similar flow patterns. Experimental results show that ProvGRP can efficiently reduce provenance graphs with minimal loss of crucial information, thereby facilitating attack investigation in terms of runtime and results.
科研通智能强力驱动
Strongly Powered by AbleSci AI