CONAN: A Practical Real-time APT Detection System with High Accuracy and Efficiency

Advanced Persistent Threat (APT) attacks have caused serious security threats and financial losses worldwide. Various real-time detection mechanisms that combine context information and provenance graphs have been proposed to defend against APT attacks. However, existing real-time APT detection mechanisms suffer from accuracy and efficiency issues due to inaccurate detection models and the growing size of provenance graphs. To address the accuracy issue, we propose a novel and accurate APT detection model that removes unnecessary phases and focuses on the remaining ones with improved definitions. To address the efficiency issue, we propose a state-based framework in which events are consumed as streams and each entity is represented in an FSA-like structure without storing historic data. Additionally, we reconstruct attack scenarios by storing just one in a thousand events in a database. Finally, we implement our design, called CONAN, on Windows and conduct comprehensive experiments under real-world scenarios to show that CONAN can accurately and efficiently detect all attacks within our evaluation. The memory usage and CPU efficiency of CONAN remain constant over time (1-10 MB of memory and hundreds of times faster than data generation), making CONAN a practical design for detecting both known and unknown APT attacks in real-world scenarios.