In Advanced Persistent Threat (APT) attacks, achieving stealthy persistence within target systems is often crucial for an attacker's success. This persistence allows adversaries to maintain prolonged access, often evading detection mechanisms. Recognizing its pivotal role in the APT lifecycle, this paper introduces Cyber Persistence Detector (CPD), a novel system dedicated to detecting cyber persistence through provenance analytics. CPD is founded on the insight that persistent operations typically manifest in two phases: the "persistence setup" and the subsequent "persistence execution". By causally relating these phases, we enhance our ability to detect persistent threats. First, CPD discerns setups signaling an impending persistent threat and then traces processes linked to remote connections to identify persistence execution activities. A key feature of our system is the introduction of pseudo-dependency edges (pseudo-edges), which effectively connect these disjoint phases using data provenance analysis, and expert-guided edges, which enable faster tracing and reduced log size. These edges empower us to detect persistence threats accurately and efficiently. Moreover, we propose a novel alert triage algorithm that further reduces false positives associated with persistence threats. Evaluations conducted on well-known datasets demonstrate that our system reduces the average false positive rate by 93% compared to state-of-the-art methods.

翻译：在高级持续性威胁（APT）攻击中，在目标系统中实现隐蔽持久驻留通常对攻击者的成功至关重要。这种持久性使对手能够维持长期访问，并常常规避检测机制。认识到其在APT生命周期中的关键作用，本文提出网络持久性检测器（CPD），这是一个通过溯源分析专门检测网络持久性的新型系统。CPD基于以下洞察：持久性操作通常表现为两个阶段："持久性建立"和随后的"持久性执行"。通过因果关联这两个阶段，我们增强了检测持久性威胁的能力。首先，CPD识别出预示即将发生持久性威胁的建立行为，然后追踪与远程连接相关的进程以识别持久性执行活动。我们系统的一个关键特性是引入了伪依赖边（pseudo-edges），它利用数据溯源分析有效连接这些分离的阶段，以及专家指导边，后者能够实现更快的追踪并减少日志大小。这些边使我们能够准确高效地检测持久性威胁。此外，我们提出了一种新颖的告警分诊算法，进一步降低了与持久性威胁相关的误报。在知名数据集上进行的评估表明，与最先进的方法相比，我们的系统将平均误报率降低了93%。