In recent years, the adoption of cloud services has been expanding at an unprecedented rate. As more and more organizations migrate or deploy their businesses to the cloud, a multitude of related cybersecurity incidents such as data breaches are on the rise. Many inherent attributes of cloud environments, for example, data sharing, remote access, dynamicity and scalability, pose significant challenges for the protection of cloud security. Even worse, cyber threats are becoming increasingly sophisticated and covert. Attack methods, such as Advanced Persistent Threats (APTs), are continually developed to bypass traditional security measures. Among the emerging technologies for robust threat detection, system provenance analysis is being considered as a promising mechanism, thus attracting widespread attention in the field of incident response. This paper proposes a new few-shot learning-based attack detection with improved data context intelligence. We collect operating system behavior data of cloud systems during realistic attacks and leverage an innovative semiotics extraction method to describe system events. Inspired by the advances in semantic analysis, which is a fruitful area focused on understanding natural languages in computational linguistics, we further convert the anomaly detection problem into a similarity comparison problem. Comprehensive experiments show that the proposed approach is able to generalize over unseen attacks and make accurate predictions, even if the incident detection models are trained with very limited samples.

翻译：近年来，云服务的采用正以前所未有的速度扩展。随着越来越多的组织将其业务迁移或部署至云端，数据泄露等相关的网络安全事件亦呈上升趋势。云环境的诸多固有属性，例如数据共享、远程访问、动态性与可扩展性，对云安全防护构成了重大挑战。更严峻的是，网络威胁正变得日益复杂和隐蔽。诸如高级持续性威胁（APTs）等攻击手段不断发展，以规避传统安全措施。在众多新兴的强健威胁检测技术中，系统溯源分析被视为一种有前景的机制，因此在事件响应领域受到广泛关注。本文提出一种基于小样本学习的新型攻击检测方法，该方法具备增强的数据上下文智能。我们收集了现实攻击场景下云系统的操作系统行为数据，并采用一种创新的符号学提取方法来描述系统事件。受语义分析领域进展的启发——该领域是计算语言学中专注于理解自然语言的丰硕研究方向——我们进一步将异常检测问题转化为相似度比较问题。综合实验表明，即使事件检测模型仅使用极有限的样本进行训练，所提出的方法仍能泛化至未见过的攻击类型并做出准确预测。