Background Introduction ​

APT attacks are covert, complex, and continuous, and are difficult to detect. Currently, the industry generally uses the Indicators of Compromise (IoC) detection method based on rules and manual analysis, which has limitations of high costs, low accuracy, and poor interpretability, and is difficult to effectively defend against advanced sustainable threat attacks. Low accuracy: In the prior art, static rules compiled by experts are usually used, and failure indicators are formed. Such static rules written by experts cannot accurately cover system behavior, resulting in false positives and false negatives. Poor interpretability: The prior art can simply summarize only a single failure indicator, and lacks an understanding of the semantics of a high-level attacker's behavior represented by the failure indicator. Second, APT attacks are usually "combined punches". Attackers use multiple attack techniques and methods to generate a large number of correlation-related failure indicators. In the prior art, failure indicators that have a logical association relationship cannot be associated, and a security expert needs to manually analyze the association of the failure indicators. High operating costs: The prior art has relatively high hardware costs and labor costs, and it is difficult to support large-scale system deployment. In terms of hardware, although some technologies use machine learning to automatically detect attacks, the machine learning technology consumes a lot of computing power due to a large amount of data in a system event. From the perspective of labor costs, due to low accuracy and insufficient explainability in the prior art, the security team needs to consume a lot of manpower for manual analysis, which aggravates the alarm fatigue phenomenon faced by the current security defense system.

A-SysArmor: Heterogeneous Convergence Design Driven by Data and Knowledge ​

To address the limitations of current technologies, OpenAtom openEuler (openEuler for short) community project A-SysArmor uses a data- and knowledge-driven algorithm to improve the accuracy and explainability of advanced sustainable threat detection. In addition, the heterogeneous convergence design method is used to reduce the resource cost of advanced sustainable threat detection.

Project address: https://gitee.com/openeuler/A-SysArmor

The A-SysArmor has three key breakthroughs:

1. Heterogeneous convergence design and source tracing data collection: Optimize system software and make full use of heterogeneous hardware such as CPU and DPU to collect and monitor system security events in real time at low costs, reducing monitoring hardware costs.

2. Data-driven APT attack detection: A new-generation graph learning algorithm is proposed to mine and discover advanced sustainable threats in system logs, reduce false positive rates, and improve algorithm analysis throughput.

3. Knowledge-driven explanation of APT attacks: Based on the language model, understand the APT attack process based on the detected APT attack source tracing log data, analyze the APT attack domain, and provide reasonable system defense suggestions. Generates a readable text attack alarm report.

Key Technologies for APT Attack Detection and Analysis ​

Key technology 1: Source tracing log collection based on heterogeneous convergence design ​

Source tracing logs record all behaviors of the system, including normal users and attackers, and are the cornerstone of subsequent APT attack detection and analysis. Therefore, how to collect complete and comprehensive source tracing logs is the core basis for APT attack detection and analysis. However, due to the contradiction between the massive log generation rate and the extremely limited security analysis resources, the existing SOTA source tracing log collection solutions, such as Sysdig¹, cannot ensure complete source tracing log collection and defend against PDoS attacks. A-SysArmor designs a collection framework based on threadlet. By using the core solution of "who generates the log, who processes the log", A-SysArmor isolates the system call logs generated by different processes, and collects the complete source tracing logs to defend against potential PDoS attacks. To solve the problem of objective security analysis resource limitation in the current source tracing log collection framework, A-SysArmor proposes a new hardware (DPU) load-based solution for complex computing tasks and ultra-high log generation rate scenarios. Compared with the traditional solution, such as HARDLOG², A-SysArmor provides a new DPU-assisted pull-and-get architecture. The DPU is used to quickly and proactively obtain source tracing log data from the host memory to the DPU memory without involving the host CPU. This improves collection efficiency and eliminates potential attack surfaces related to the log sender in the source tracing log collection framework.

Key technology 2: data-driven APT attack detection ​

The protected system generates a large number of system source tracing logs all the time. Attackers may sneak into the system at any time and damage the system. Therefore, the non-real-time APT detection system cannot process real-time attacks and may cause potential false negatives. and the protected system is seriously damaged. Therefore, real-time performance is also a key point to determine whether an APT attack detection system can play a role in actual scenarios. In addition, the existing SOTA real-time APT attack detection systems, such as UNICORN³ and HOLMES⁴, have serious false alarms. Such massive alarm results require a large number of security analysis human resources to process, which cannot be met in actual scenarios. Therefore, the accuracy of alarm generation is also a key point for APT attack detection. A-SysArmor abstracts attack detection into a Steiner tree to build a model, implementing real-time and accurate APT attack detection at low resource costs. Specifically, A-SysArmor abstracts the problem of association and exploration of malicious nodes, which consumes a lot of computing resources, into a Steiner tree construction problem. Furthermore, an optimal Steiner tree approximate search strategy with optimal competition ratio is proposed, which reduces the computational complexity to O(N) order and realizes low resource consumption attack discovery.

Key Technology 3: Knowledge-driven APT Attack Source Tracing and Analysis ​

Existing commercial and scientific APT attack analysis tools generate a large number of alarms. Alarms based on behavior nodes and complete source tracing graphs are difficult to understand. Therefore, in APT attack analysis scenarios, analysis resources and analysis efficiency conflict severely. How to accurately understand and display APT attack alarms becomes a key requirement of the APT attack detection system. Based on the high-quality attack knowledge in threat intelligence, A-SysArmor constructs an APT attack inference engine, helping users understand alarms generated by the system and improving alarm analysis efficiency with low resource consumption. Specifically, A-SysArmor develops a dedicated database based on multi-source heterogeneous threat intelligence, and designs an efficient source tracing log attack possibility query algorithm based on fast semantic coding, to generate interactive source tracing graphs with explanation tags as attack alarms. The alarm accuracy and readability are improved. Further, A-SysArmor uses optimization technologies such as a large language model and thinking chain, and based on domain knowledge such as APT life cycle and kill chain, completes the preceding attack alarms, eliminates errors, and generates readable text attack reports.

A-SysArmor Implementation Effect ​

A-SysArmor has been deployed and verified in multiple lab scenarios and real industrial production scenarios. The results show that A-SysArmor can accurately detect APT attacks in real time with limited computing resources. For the system components corresponding to each key technology, A-SysArmor implements:

1. Compared with the existing SOTA, A-SysArmor implements complete system source tracing log collection while ensuring low resource consumption.

2. APT attack detection: Real-time high-precision APT attack detection is implemented. Compared with SOTA attacks, the node-level false positives are reduced by about three orders of magnitude.

3. In terms of APT attack analysis, the accurate understanding of APT alarms is achieved, the semantic marking accuracy of attack behavior is nearly 90%, and APT attack reports covering complete attack behavior and corresponding defense methods are efficiently generated.

For more information, please join us for a deeper discussion.

The openEuler community SIG-Long is dedicated to building a heterogeneous converged computing framework for intelligent infrastructures, fully utilizing the advantages of different hardware devices, maximizing the requirements of different application loads and reducing the development threshold and cost.

Reference link ​

1. Sysdig, https://sysdig.com/

2. Hardlog: Practical tamper-proof system auditing using a novel audit device, https://ieeexplore.ieee.org/document/9833745

3. Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats, https://www.ndss-symposium.org/ndss-paper/unicorn-runtime-provenance-based-detector-for-advanced-persistent-threats/

4. HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows, https://ieeexplore.ieee.org/document/8835390