Abstract
Modern attacks against enterprises often have multiple targets inside the enterprise network. Due to the large size of these networks and increasingly stealthy attacks, attacker activities spanning multiple hosts are extremely difficult to correlate during a threat-hunting effort. In this paper, we present a method for an efficient cross-host attack correlation across multiple hosts. Unlike previous works, our approach does not require lateral movement detection techniques or host-level modifications. Instead, our approach relies on an observation that attackers have a few strategic mission objectives on every host that they infiltrate, and there exist only a handful of techniques for achieving those objectives. The central idea behind our approach involves comparing (OS agnostic) activities on different hosts and correlating the hosts that display the use of similar tactics, techniques, and procedures. We implement our approach in a tool called Ostinato and successfully evaluate it in threat hunting scenarios involving DARPA-led red team engagements spanning 500 hosts and in another multi-host attack scenario. Ostinato successfully detected 21 additional compromised hosts, which the underlying host-based detection system overlooked in activities spanning multiple days of the attack campaign. Additionally, Ostinato successfully reduced alarms generated from the underlying detection system by more than 90%, thus helping to mitigate the threat alert fatigue problem.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
2021: Year in review. https://thedfirreport.com/2022/03/07/2021-year-in-review/
Adversarial tactics, techniques and common knowledge. https://attack.mitre.org/
Apt cybercriminal campagin collections. https://bit.ly/364iN8U
Detecting lateral movement with windows event logs. https://bit.ly/3hQyF1D
Mandiant (2013). https://bit.ly/3MA0N7b
Alert fatigue: 31.9% anaysts ignore alerts. https://bit.ly/3MyE9fA (2017)
Automated incident response (2017). https://bit.ly/3hPm3Ia
New research from advanced threat analytics finds MSSP incident responders overwhelmed by false-positive security alerts (2018). https://prn.to/37hqsS9
Destructive attack “dustman” (2019). https://bit.ly/3tHX7YC
Dramatic reductions in alert fatigue with crowdscore (2019). https://bit.ly/3IZD9is
Tc engagement-5 (2019). https://github.com/darpa-i2o/Transparent-Computing
Optc dataset (2020). https://github.com/FiveDirections/OpTC-data
Groups (2021). https://attack.mitre.org/groups/
Lateral movement (2021). https://bit.ly/3t63ru1
Lateral tool transfer (2021). https://attack.mitre.org/techniques/T1570/
What makes lateral movement so hard to detect? (2021). https://bit.ly/3hUl0qg
Antonakakis, M., et al.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: 21st \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\)) (2012)
Bai, Y., Ding, H., Bian, S., Chen, T., Sun, Y., Wang, W.: SimGNN: a neural network approach to fast graph similarity computation. In: Proceedings of the Twelfth ACM International Conference on Web Search and Data Mining, pp. 384–392 (2019)
Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., Kruegel, C.: Disclosure: detecting botnet command and control servers through large-scale netflow analysis. In: Proceedings of the 28th Annual Computer Security Applications Conference (2012)
Bowman, B., Laprade, C., Ji, Y., Huang, H.H.: Detecting lateral movement in enterprise computer networks with unsupervised graph \(\{\)AI\(\}\). In: 23rd International Symposium on Research in Attacks, Intrusions and Defenses. RAID (2020)
Broder, A.Z., Charikar, M., Frieze, A.M., Mitzenmacher, M.: Min-wise independent permutations. J. Comput. Syst. Sci. 60(3), 630–659 (2000)
Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings 2002 IEEE Symposium on Security and Privacy (2002)
Emmons, S., Kobourov, S., Gallant, M., Börner, K.: Analysis of network clustering algorithms and cluster quality metrics at scale. PLoS One 11(7), e0159161 (2016)
Gallagher, B.: Matching structure and semantics: a survey on graph-based pattern matching. In: AAAI Fall Symposium: Capturing and Using Patterns for Evidence Detection, pp. 45–53 (2006)
Hajizadeh, M., Phan, T.V., Bauschert, T.: Probability analysis of successful cyber attacks in SDN-based networks. In: 2018 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), pp. 1–6. IEEE (2018)
Hassan, W.U., Bates, A., Marino, D.: Tactical provenance analysis for endpoint detection and response systems. In: 2020 IEEE Symposium on Security and Privacy (2020)
Hassan, W.U., et al.: NoDoze: combatting threat alert fatigue with automated provenance triage. In: Network and Distributed Systems Security Symposium (2019)
Hossain, M.N., Sheikhi, S., Sekar, R.: Combating dependence explosion in forensic analysis using alternative tag propagation semantics. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 1139–1155. IEEE (2020)
Jeh, G., Widom, J.: Simrank: A measure of structural-context similarity. In: Proceedings of the Eighth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 538–543 (2002). https://bit.ly/3HXbqgQ
Ji, Y., et al.: Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking. In: 27th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 18) (2018)
Joachims, T.: Text categorization with support vector machines: learning with many relevant features. In: Nédellec, C., Rouveirol, C. (eds.) ECML 1998. LNCS, vol. 1398, pp. 137–142. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0026683
Joachims, T.: A probabilistic analysis of the Rocchio algorithm with TFIDF for text categorization. Technical report, Carnegie-Mellon Univ., Pittsburgh, PA, Dept. of CS (1996)
Ketchen, D.J., Shook, C.L.: The application of cluster analysis in strategic management research: an analysis and critique. Strateg. Manag. J. 17, 441–458 (1996)
King, D.: Spotting the signs of lateral movement (2018). https://splk.it/3vTiQ2C
King, S.T., Chen, P.M.: Backtracking intrusions. In: SOSP. ACM (2003)
Koutra, D., Vogelstein, J.T., Faloutsos, C.: DeltaCon: a principled massive-graph similarity function. In: Proceedings of the 2013 SIAM International Conference on Data Mining. SIAM (2013)
Krishnan, S., Snow, K.Z., Monrose, F.: Trail of bytes: efficient support for forensic analysis. In: Proceedings of the 17th ACM CCS, pp. 50–60 (2010)
Kruegel, C., Valeur, F., Vigna, G.: Intrusion Detection and Correlation: Challenges and Solutions, vol. 14. Springer, New York (2004). https://doi.org/10.1007/b101493
Lee, K.H., Zhang, X., Xu, D.: LogGC: garbage collecting audit log. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (2013)
Liu, H., Singh, P.: ConceptNet-a practical commonsense reasoning tool-kit. BT Technol. J. 22(4), 211–226 (2004)
Liu, Y., et al.: Towards a timely causality analysis for enterprise security. In: NDSS (2018)
McKay, B.D., Piperno, A.: Practical graph isomorphism, II. J. Symb. Comput. 60, 94–112 (2014)
Mikolov, T., Chen, K., Corrado, G., Dean, J.: Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781 (2013)
Milajerdi, S.M., Eshete, B., Gjomemo, R., Venkatakrishnan, V.: Poirot: aligning attack behavior with kernel audit records for cyber threat hunting. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (2019)
Milajerdi, S.M., Gjomemo, R., Eshete, B., Sekar, R., Venkatakrishnan, V.: Holmes: real-time apt detection through correlation of suspicious information flows. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1137–1152. IEEE (2019)
Niwattanakul, S., Singthongchai, J., Naenudorn, E., Wanapu, S.: Using of Jaccard coefficient for keywords similarity. In: Proceedings of the International Multiconference of Engineers and Computer Scientists, vol. 1, pp. 380–384 (2013)
Oprea, A., Li, Z., Yen, T.F., Chin, S.H., Alrwais, S.: Detection of early-stage enterprise infection by mining large-scale log data. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 45–56. IEEE
Pei, K., et al.: Hercule: attack story reconstruction via community discovery on correlated log graph. In: Proceedings of the 32nd ACSAC, pp. 583–595 (2016)
Romero-Gomez, R., Nadji, Y., Antonakakis, M.: Towards designing effective visualizations for DNS-based network threat analysis. In: 2017 IEEE Symposium on Visualization for Cyber Security (VizSec), pp. 1–8. IEEE (2017)
Sadoddin, R., Ghorbani, A.: Alert correlation survey: framework and techniques. In: Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, pp. 1–10 (2006)
Sahabandu, D., Xiao, B., Clark, A., Lee, S., Lee, W., Poovendran, R.: Dift games: dynamic information flow tracking games for advanced persistent threats. In: 2018 IEEE Conference on Decision and Control (CDC), pp. 1136–1143. IEEE (2018)
Satvat, K., Gjomemo, R., Venkatakrishnan, V.: Extractor: extracting attack behavior from threat reports. In: 2021 IEEE European Symposium on Security and Privacy (EuroS P), pp. 598–615 (2021)
Shrivastava, A., Li, P.: In defense of MinHash over SimHash. In: Artificial Intelligence and Statistics, pp. 886–894. PMLR (2014)
Sun, X., Dai, J., Liu, P., Singhal, A., Yen, J.: Using Bayesian networks for probabilistic identification of zero-day attack paths. IEEE Tran. Inf. Forensics Secur. 13, 2506–2521 (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Ghosh, S.K., Satvat, K., Gjomemo, R., Venkatakrishnan, V.N. (2022). Ostinato: Cross-host Attack Correlation Through Attack Activity Similarity Detection. In: Badarla, V.R., Nepal, S., Shyamasundar, R.K. (eds) Information Systems Security. ICISS 2022. Lecture Notes in Computer Science, vol 13784. Springer, Cham. https://doi.org/10.1007/978-3-031-23690-7_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-23690-7_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-23689-1
Online ISBN: 978-3-031-23690-7
eBook Packages: Computer ScienceComputer Science (R0)