Strategic Monitoring for Efficient Detection of Simultaneous APT Attacks with Limited Resources

Advanced Persistent Threats (APT) are a type of sophisticated multistage cyber attack, and the defense against APT is challenging. Existing studies apply signature-based or behavior-based methods to analyze monitoring data detect APT, but little research has been dedicated important problem addressing detection with limited resources. In order maintain primary functionality system, resources allocated for security purposes, example logging examining behavior usually constrained. Therefore, when facing multiple simultaneous powerful attacks like allocation becomes critical. The in this paper focuses on threat model where exist defender’s defender does not have sufficient check every running process. To capture footprint activities including benign activities, work leverages provenance graph which constructed based dependencies processes. Furthermore, strategy efficiently from incomplete information paths graph, by considering both “exploitation” effect “exploration” effect. contributions two-fold. First, it extends classic UCB algorithm domain multi-armed bandit solve problems, proposes use malevolence value path, generated novel LSTM neural network as exploitation term. Second, consideration innovative experimental results show that beneficial enforce satisfies same property term using proposed strategy, detected more than random greedy regarding time needed number attacks.