Modern cyber attackers use advanced zero-day exploits, highly targeted spear phishing, and other social engineering techniques to gain access and also use evasion techniques to maintain a prolonged presence within the victim network while working gradually towards the objective. To minimize the damage, it is necessary to detect these Advanced Persistent Threats as early in the campaign as possible. This paper proposes, Prov2Vec, a system for the continuous monitoring of enterprise host's behavior to detect attackers' activities. It leverages the data provenance graph built using system event logs to get complete visibility into the execution state of an enterprise host and the causal relationship between system entities. It proposes a novel provenance graph kernel to obtain the canonical representation of the system behavior, which is compared against its historical behaviors and that of other hosts to detect the deviation from the normality. These representations are used in several machine learning models to evaluate their ability to capture the underlying behavior of an endpoint host. We have empirically demonstrated that the provenance graph kernel produces a much more compact representation compared to existing methods while improving prediction ability.

翻译：现代网络攻击者利用高级零日漏洞、高度定向的鱼叉式钓鱼及其他社会工程技术实施入侵，并运用规避技术在被攻陷网络中维持长期驻留，同时逐步推进攻击目标。为最大限度降低损失，需尽可能在攻击活动早期检测到这些高级持续性威胁。本文提出Prov2Vec系统，用于持续监测企业主机行为以检测攻击者活动。该系统利用系统事件日志构建的数据溯源图，全面掌握企业主机的执行状态及系统实体间的因果关系。研究提出一种新颖的溯源图核函数，用于获取系统行为的规范表示，通过与主机自身历史行为及其他主机的行为进行对比，检测偏离正常基线的异常行为。这些表示被应用于多种机器学习模型以评估其对端点主机潜在行为的捕捉能力。实验证明，相比现有方法，该溯源图核函数在提升预测性能的同时，能够生成更为紧凑的表示形式。