Abstract
This paper presents a scalable, dynamic, flexible, and non-intrusive monitoring architecture for threat hunting. The agent architecture detects attack techniques at the agent level, classifies composite and primitive events, and disseminates seen attack techniques or subscribed event information to the upper-level agent or manager. The proposed solution offers improvement over existing approaches for threat hunting by supporting hierarchical event filtering-based monitoring, which improves monitoring scalability. It reduces memory requirement and communication overhead while maintaining the same accuracy of threat hunting in state-of-the-art centralized approaches. We provide a distributed hierarchical agent architecture and an approximation algorithm for near-optimal agent hierarchy generation. We also evaluated the proposed system across three simulated attack use cases built using the MITRE ATT &CK framework and DARPA OpTC attack dataset. The evaluation shows that our proposed approach reduces communication overhead by 43% to 64% and memory usage by 45% to 60% compared with centralized threat hunting approaches.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Adversarial tactics, techniques & common knowledge. https://attack.mitre.org/. Accessed 15 Mar 2022
Atomic red team: Mitre attack technique detector. https://github.com/redcanaryco/atomic-red-team/. Accessed 15 Mar 2022
Endpoint detection and response solution survey. https://www.gartner.com/reviews/market/endpoint-detection-and-response-solutions. Accessed 3 Aug 2022
How much does a data breach cost? https://www.ibm.com/security/data-breach. Accessed 15 July 2022
Logrythm: threat hunting use cases. https://logrhythm.com/use-cases/. Accessed 15 Apr 2022
Special report m-trends 2021. https://www.mandiant.com/resources/m-trends-2021. Accessed 15 July 2022
The state of ransomware 2022. https://www.sophos.com/en-us/content/state-of-ransomware. Accessed 15 July 2022
Symmantec. attack listing. https://www.symantec.com/security-center/a-z
Ahmed, M., Al-Shaer, E.: Measures and metrics for the enforcement of critical security controls: a case study of boundary defense. In: Proceedings of the 6th Annual Symposium on Hot Topics in the Science of Security, pp. 1–3 (2019)
Al-Shaer, E., Abdel-Wahab, H., Maly, K.: HiFi: a new monitoring architecture for distributed systems management. In: Proceedings of 19th IEEE International Conference on Distributed Computing Systems (Cat. No. 99CB37003), pp. 171–178 (1999)
Al-Shaer, R., Spring, J.M., Christou, E.: Learning the associations of MITRE ATT &CK adversarial techniques. In: 2020 IEEE Conference on Communications and Network Security (CNS), pp. 1–9 (2020)
Alam, M.M., Wang, W.: A comprehensive survey on data provenance: state-of-the-art approaches and their deployments for IoT security enforcement. J. Comput. Secur. 29(4), 1–24 (2021)
Alsaleh, M.N., Wei, J., Al-Shaer, E., Ahmed, M.: Gextractor: towards automated extraction of malware deception parameters. In: Proceedings of the 8th Software Security, Protection, and Reverse Engineering Workshop, SSPREW-8. Association for Computing Machinery, New York (2018)
Andreolini, M., Colajanni, M., Pietri, M.: A scalable architecture for real-time monitoring of large information systems. In: 2012 Second Symposium on Network Cloud Computing and Applications, pp. 143–150. IEEE (2012)
Arantes, R., Weir, C., Hannon, H., Kulseng, M.: Operationally transparent cyber (OPTC) (2021)
Benahmed, K., Merabti, M., Haffaf, H.: Distributed monitoring for misbehaviour detection in wireless sensor networks. Secur. Commun. Netw. 6(4), 388–400 (2013)
Bhattarai, B., Huang, H.: Steinerlog: prize collecting the audit logs for threat hunting on enterprise network. In: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2022, pp. 97–108. Association for Computing Machinery, New York (2022)
Boem, F., Ferrari, R.M., Keliris, C., Parisini, T., Polycarpou, M.M.: A distributed networked approach for fault detection of large-scale systems. IEEE Trans. Autom. Control 62(1), 18–33 (2016)
Hassan, W.U., Bates, A., Marino, D.: Tactical provenance analysis for endpoint detection and response systems. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 1172–1189 (2020)
Hassan, W.U., et al.: Nodoze: combatting threat alert fatigue with automated provenance triage. In: Network and Distributed Systems Security Symposium (2019)
Hassan, W.U., et al.: This is why we can’t cache nice things: lightning-fast threat hunting using suspicion-based hierarchical storage. In: Annual Computer Security Applications Conference, ACSAC 2020, pp. 165–178. Association for Computing Machinery, New York (2020)
Hassan, W.U., Noureddine, M.A., Datta, P., Bates, A.: Omegalog: high-fidelity attack investigation via transparent multi-layer log analysis. In: Network and Distributed System Security Symposium (2020)
Hong, P.T.N., Le Van, S.: An online monitoring solution for complex distributed systems based on hierarchical monitoring agents. In: Huynh, V., Denoeux, T., Tran, D., Le, A., Pham, S. (eds.) Knowledge and Systems Engineering, pp. 187–198. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-02741-8_17
Hossain, M.N., et al.: \(\{\)SLEUTH\(\}\): real-time attack scenario reconstruction from \(\{\)COTS\(\}\) audit data. In: 26th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 2017), pp. 487–504 (2017)
Milajerdi, S.M., Eshete, B., Gjomemo, R., Venkatakrishnan, V.N.: Poirot: aligning attack behavior with kernel audit records for cyber threat hunting. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1795–1812 (2019)
Milajerdi, S.M., Gjomemo, R., Eshete, B., Sekar, R., Venkatakrishnan, V.N.: Holmes: real-time apt detection through correlation of suspicious information flows. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1137–1152. IEEE (2019)
Sacerdoti, F.D., Katz, M.J., Massie, M.L., Culler, D.E.: Wide area cluster monitoring with ganglia. In: CLUSTER, vol. 3, pp. 289–289 (2003)
Wei, R., Cai, L., Zhao, L., Yu, A., Meng, D.: DeepHunter: a graph neural network based approach for robust cyber threat hunting. In: Garcia-Alfaro, J., Li, S., Poovendran, R., Debar, H., Yung, M. (eds.) SecureComm 2021. LNICST, vol. 398, pp. 3–24. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90019-9_1
Wood, A.: Rabbit MQ: For Starters. CreateSpace Independent Publishing Platform, North Charleston (2016)
Wu, Y.-S., Foo, B., Mei, Y., Bagchi, S.: Collaborative intrusion detection system (CIDS): a framework for accurate and efficient ids. In: Proceedings of 19th Annual Computer Security Applications Conference, pp. 234–244. IEEE (2003)
Xiong, C., et al.: Conan: a practical real-time apt detection system with high accuracy and efficiency. IEEE Trans. Dependable Secure Comput. 19(1), 551–565 (2020)
Yegneswaran, V., Barford, P., Jha, S.: Global intrusion detection in the domino overlay system. Technical report, University of Wisconsin-Madison, Department of Computer Sciences (2003)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix A
Appendix A
In order to build the attack signature in terms of low-level system events, we follow the technique detectors provided by LogRythm [5]. Following the rules developed by LogRythm, technique T1189 can be detected by inspecting IDS or antivirus logs. Technique T1035, T1021.001, and T1119 [1] can be detected by analyzing Windows event logs or SysMon logs as mentioned by MITRE [1]. Moreover, technique T1048 can be detected by analyzing network traffic and looking for uncommon data flow in the NetMonitor. Therefore, we can define the signature in terms of low-level logs for technique T1189, T1035, T1021.001, T1119, and T1048 [1], and use case 2 using ESP formalization provided in Sect. 3 as follows:
To build the attack signature of the red team activities in OpTC attack dataset, we investigate notepad++ update process and Meterpreter execution process. To detect Meterpreter payload download activities, we can look for new file create and write event logs and process creation using the newly created file.
Named pipe impersonation can be detected by looking for any cmd.exe process which is a child of services.exe and the commandline arguments of the cmd.exe process contains echo and pipe keywords.
The system info, installed applications, domain controllers and network share discovery activities can be detected by looking for command line arguments running form the cmd.exe process which is spawn from Meterpreter process.
We can detect the registry key creation and setting the value of the created key to a newly downloaded payload as follows:
Creating new user account and adding it to specific group can be done by using net utility. Thus the signature will be:
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Ahmed, M., Wei, J., Al-Shaer, E. (2023). SCAHunter: Scalable Threat Hunting Through Decentralized Hierarchical Monitoring Agent Architecture. In: Arai, K. (eds) Intelligent Computing. SAI 2023. Lecture Notes in Networks and Systems, vol 739. Springer, Cham. https://doi.org/10.1007/978-3-031-37963-5_88
Download citation
DOI: https://doi.org/10.1007/978-3-031-37963-5_88
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-37962-8
Online ISBN: 978-3-031-37963-5
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)