To defend against Advanced Persistent Threats on the endpoint, threat hunting employs security knowledge such as cyber threat intelligence to continuously analyze system audit logs through retrospective scanning, querying, or pattern matching, aiming to uncover attack patterns/graphs that traditional detection methods (e.g., recognition for Point of Interest) fail to capture. However, existing threat hunting systems based on provenance graphs face challenges of high false negatives, high false positives, and low efficiency when confronted with diverse attack tactics and voluminous audit logs. To address these issues, we propose a system called Actminer, which constructs query graphs from descriptive relationships in cyber threat intelligence reports for precise threat hunting (i.e., graph alignment) on provenance graphs. First, we present a heuristic search strategy based on equivalent semantic transfer to reduce false negatives. Second, we establish a filtering mechanism based on causal relationships of attack behaviors to mitigate false positives. Finally, we design a tree structure to incrementally update the alignment results, significantly improving hunting efficiency. Evaluation on the DARPA Engagement dataset demonstrates that compared to the SOTA POIROT, Actminer reduces false positives by 39.1%, eliminates all false negatives, and effectively counters adversarial attacks.

翻译：为防御终端高级持续性威胁，威胁狩猎利用网络威胁情报等安全知识，通过回溯扫描、查询或模式匹配持续分析系统审计日志，旨在发现传统检测方法（如兴趣点识别）无法捕获的攻击模式/图谱。然而，现有基于溯源图的威胁狩猎系统在面对多样化攻击策略和海量审计日志时，存在高漏报、高误报和低效的挑战。为解决这些问题，本文提出名为ActMiner的系统，该系统从网络威胁情报报告的描述性关系中构建查询图，以在溯源图上实现精准威胁狩猎（即图对齐）。首先，我们提出基于等效语义传递的启发式搜索策略以降低漏报率。其次，我们建立基于攻击行为因果关系的过滤机制以减少误报。最后，我们设计树形结构以增量更新对齐结果，显著提升狩猎效率。在DARPA Engagement数据集上的评估表明，相较于当前最优方法POIROT，ActMiner将误报率降低39.1%，完全消除漏报，并能有效抵御对抗性攻击。