Visible to the public "Detection of Early-Stage Enterprise Infection by Mining Large-Scale Log Data"Conflict Detection Enabled

Title"Detection of Early-Stage Enterprise Infection by Mining Large-Scale Log Data"
Publication TypeConference Paper
Year of Publication2015
AuthorsA. Oprea, Z. Li, T. F. Yen, S. H. Chin, S. Alrwais
Conference Name2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
Date PublishedJune
ISBN Number978-1-4799-8629-3
Accession Number15473353
Keywordsadvanced persistent threat, advanced persistent threats, APT infection attacks, belief networks, belief propagation, business data processing, Data analysis, data mining, DNS logs, early-stage APT infection, early-stage enterprise infection detection, Electronic mail, graph theory, Internet, invasive software, IP networks, LANL, large-scale log data mining, Los Alamos National Lab, Malware, malware strains, pubcrawl170101, security products, Servers, system-on-chip, Web proxy logs

Recent years have seen the rise of sophisticated attacks including advanced persistent threats (APT) which pose severe risks to organizations and governments. Additionally, new malware strains appear at a higher rate than ever before. Since many of these malware evade existing security products, traditional defenses deployed by enterprises today often fail at detecting infections at an early stage. We address the problem of detecting early-stage APT infection by proposing a new framework based on belief propagation inspired from graph theory. We demonstrate that our techniques perform well on two large datasets. We achieve high accuracy on two months of DNS logs released by Los Alamos National Lab (LANL), which include APT infection attacks simulated by LANL domain experts. We also apply our algorithms to 38TB of web proxy logs collected at the border of a large enterprise and identify hundreds of malicious domains overlooked by state-of-the-art security products.

Citation Key7266837