Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Huang, Yi-Ting, Guo, Ying-Ren, Yang, Yu-Sheng, Wong, Guo-Wei, Jheng, Yu-Zih, Sun, Yeali, Modini, Jessemyn, Lynar, Timothy, Chen, Meng Chang
Format: Preprint
Veröffentlicht: 2024
Schlagworte:
Online-Zugang:https://arxiv.org/abs/2411.13138
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
_version_ 1866917203513704448
author Huang, Yi-Ting
Guo, Ying-Ren
Yang, Yu-Sheng
Wong, Guo-Wei
Jheng, Yu-Zih
Sun, Yeali
Modini, Jessemyn
Lynar, Timothy
Chen, Meng Chang
author_facet Huang, Yi-Ting
Guo, Ying-Ren
Yang, Yu-Sheng
Wong, Guo-Wei
Jheng, Yu-Zih
Sun, Yeali
Modini, Jessemyn
Lynar, Timothy
Chen, Meng Chang
contents With the increasing sophistication of Advanced Persistent Threats (APTs), the demand for effective detection and mitigation strategies and methods has escalated. Program execution leaves traces in the system audit log, which can be analyzed to detect malicious activities. However, collecting and analyzing large volumes of audit logs over extended periods is challenging, further compounded by insufficient labeling that hinders their usability. Addressing these challenges, this paper introduces SAGA (Synthetic Audit log Generation for APT campaigns), a novel approach for generating find-grained labeled synthetic audit logs that mimic real-world system logs while embedding stealthy APT attacks. SAGA generates configurable audit logs for arbitrary duration, blending benign logs from normal operations with malicious logs based on the definitions the MITRE ATT\&CK framework. Malicious audit logs follow an APT lifecycle, incorporating various attack techniques at each stage. These synthetic logs can serve as benchmark datasets for training machine learning models and assessing diverse APT detection methods. To demonstrate the usefulness of synthetic audit logs, we ran established baselines of event-based technique hunting and APT campaign detection using various synthetic audit logs. In addition, we show that a deep learning model trained on synthetic audit logs can detect previously unseen techniques within audit logs.
format Preprint
id arxiv_https___arxiv_org_abs_2411_13138
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle SAGA: Synthetic Audit Log Generation for APT Campaigns
Huang, Yi-Ting
Guo, Ying-Ren
Yang, Yu-Sheng
Wong, Guo-Wei
Jheng, Yu-Zih
Sun, Yeali
Modini, Jessemyn
Lynar, Timothy
Chen, Meng Chang
Cryptography and Security
With the increasing sophistication of Advanced Persistent Threats (APTs), the demand for effective detection and mitigation strategies and methods has escalated. Program execution leaves traces in the system audit log, which can be analyzed to detect malicious activities. However, collecting and analyzing large volumes of audit logs over extended periods is challenging, further compounded by insufficient labeling that hinders their usability. Addressing these challenges, this paper introduces SAGA (Synthetic Audit log Generation for APT campaigns), a novel approach for generating find-grained labeled synthetic audit logs that mimic real-world system logs while embedding stealthy APT attacks. SAGA generates configurable audit logs for arbitrary duration, blending benign logs from normal operations with malicious logs based on the definitions the MITRE ATT\&CK framework. Malicious audit logs follow an APT lifecycle, incorporating various attack techniques at each stage. These synthetic logs can serve as benchmark datasets for training machine learning models and assessing diverse APT detection methods. To demonstrate the usefulness of synthetic audit logs, we ran established baselines of event-based technique hunting and APT campaign detection using various synthetic audit logs. In addition, we show that a deep learning model trained on synthetic audit logs can detect previously unseen techniques within audit logs.
title SAGA: Synthetic Audit Log Generation for APT Campaigns
topic Cryptography and Security
url https://arxiv.org/abs/2411.13138