TY - GEN
T1 - WATSON
T2 - 28th Annual Network and Distributed System Security Symposium, NDSS 2021
AU - Zeng, Jun
AU - Chua, Zheng Leong
AU - Chen, Yinfang
AU - Ji, Kaihang
AU - Liang, Zhenkai
AU - Mao, Jian
N1 - Publisher Copyright:
© 2021 28th Annual Network and Distributed System Security Symposium, NDSS 2021. All Rights Reserved.
PY - 2021
Y1 - 2021
N2 - Endpoint monitoring solutions are widely deployed in today's enterprise environments to support advanced attack detection and investigation. These monitors continuously record system-level activities as audit logs and provide deep visibility into security incidents. Unfortunately, to recognize behaviors of interest and detect potential threats, cyber analysts face a semantic gap between low-level audit events and high-level system behaviors. To bridge this gap, existing work largely matches streams of audit logs against a knowledge base of rules that describe behaviors. However, specifying such rules heavily relies on expert knowledge. In this paper, we present WATSON, an automated approach to abstracting behaviors by inferring and aggregating the semantics of audit events. WATSON uncovers the semantics of events through their usage context in audit logs. By extracting behaviors as connected system operations, WATSON then combines event semantics as the representation of behaviors. To reduce analysis workload, WATSON further clusters semantically similar behaviors and distinguishes the representatives for analyst investigation. In our evaluation against both benign and malicious behaviors, WATSON exhibits high accuracy for behavior abstraction. Moreover, WATSON can reduce analysis workload by two orders of magnitude for attack investigation.
AB - Endpoint monitoring solutions are widely deployed in today's enterprise environments to support advanced attack detection and investigation. These monitors continuously record system-level activities as audit logs and provide deep visibility into security incidents. Unfortunately, to recognize behaviors of interest and detect potential threats, cyber analysts face a semantic gap between low-level audit events and high-level system behaviors. To bridge this gap, existing work largely matches streams of audit logs against a knowledge base of rules that describe behaviors. However, specifying such rules heavily relies on expert knowledge. In this paper, we present WATSON, an automated approach to abstracting behaviors by inferring and aggregating the semantics of audit events. WATSON uncovers the semantics of events through their usage context in audit logs. By extracting behaviors as connected system operations, WATSON then combines event semantics as the representation of behaviors. To reduce analysis workload, WATSON further clusters semantically similar behaviors and distinguishes the representatives for analyst investigation. In our evaluation against both benign and malicious behaviors, WATSON exhibits high accuracy for behavior abstraction. Moreover, WATSON can reduce analysis workload by two orders of magnitude for attack investigation.
UR - https://www.scopus.com/pages/publications/85180624263
U2 - 10.14722/ndss.2021.24549
DO - 10.14722/ndss.2021.24549
M3 - 会议稿件
AN - SCOPUS:85180624263
T3 - 28th Annual Network and Distributed System Security Symposium, NDSS 2021
BT - 28th Annual Network and Distributed System Security Symposium, NDSS 2021
PB - The Internet Society
Y2 - 21 February 2021 through 25 February 2021
ER -