ACTracker: A Fast and Efficient Attack Investigation Method Based on Event Causality

The emerging advanced persistent threats (APT) have become a significant threat to enterprise network security. Carrying out the attack’s causality analysis can help the cyber analyst understand the APT attack process and safely recover the system from the attack. How to quickly perform an efficient causality analysis and generate an attack dependency graph that is easy for analysts to understand has become a problem. In this paper, we propose ACTracker, a fast and efficient attack causality tracker. Firstly, the tracker generates a complete provenance graph based on threat alert and then calculates each provenance path’s anomaly score based on the anomaly score of each event. ACTracker quickly constructs a dependency graph describing the causality of attacks by considering the anomaly degree of each provenance path in the provenance graph. We also design a novel statistical method of event frequency to adapt to different scales of corporate network environments and assign anomaly scores to each event based on the event’s rarity in the current environment. We evaluate our system by simulating a variety of real-world attacks. The experimental results show that our solution can effectively track attack activities in a short time.