ChainSpot: Mining Service Logs for Cyber Security Threat Detection

摘要

Given service logs of who used what service, and when, how can we find intrusions and anomalies? In this paper, a cyber threat detection framework - ChainSpot was proposed, in which the novelty is to build graphical patterns by summarizing user's sequential behaviors of using application-layer services, and to discover deviations against one's normal patterns. Besides modeling, the issue of justifying trade-off between feature explicity and computation complexity is properly addressed, as well. Effectiveness and performance of proposed method are evaluated using dataset collected in real circumstance. Experiments show that ChainSpot can provide very good supports for awaring abnormal behaivors which is starting point of threat detection. The detection results are highly correlated to expert-labeled ground truth, therefore, ChainSpot is proven helpful for saving forensics efforts significantly. Even more, case investigations demonstrate that the differences between benign and suspicious patterns can be further interpreted to reconstruct the attack scenarios. Then the analytic findings may be treated as indicators of compromise for threat detection and in-depth clues for digital forensics.