Skip to main content
SpringerLink
Log in

Ostinato: Cross-host Attack Correlation Through Attack Activity Similarity Detection

  • Conference paper
  • First Online:
Information Systems Security (ICISS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13784))

Included in the following conference series:

  • 468 Accesses

Abstract

Modern attacks against enterprises often have multiple targets inside the enterprise network. Due to the large size of these networks and increasingly stealthy attacks, attacker activities spanning multiple hosts are extremely difficult to correlate during a threat-hunting effort. In this paper, we present a method for an efficient cross-host attack correlation across multiple hosts. Unlike previous works, our approach does not require lateral movement detection techniques or host-level modifications. Instead, our approach relies on an observation that attackers have a few strategic mission objectives on every host that they infiltrate, and there exist only a handful of techniques for achieving those objectives. The central idea behind our approach involves comparing (OS agnostic) activities on different hosts and correlating the hosts that display the use of similar tactics, techniques, and procedures. We implement our approach in a tool called Ostinato and successfully evaluate it in threat hunting scenarios involving DARPA-led red team engagements spanning 500 hosts and in another multi-host attack scenario. Ostinato successfully detected 21 additional compromised hosts, which the underlying host-based detection system overlooked in activities spanning multiple days of the attack campaign. Additionally, Ostinato successfully reduced alarms generated from the underlying detection system by more than 90%, thus helping to mitigate the threat alert fatigue problem.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. 2021: Year in review. https://thedfirreport.com/2022/03/07/2021-year-in-review/

  2. Adversarial tactics, techniques and common knowledge. https://attack.mitre.org/

  3. Apt cybercriminal campagin collections. https://bit.ly/364iN8U

  4. Detecting lateral movement with windows event logs. https://bit.ly/3hQyF1D

  5. Mandiant (2013). https://bit.ly/3MA0N7b

  6. Alert fatigue: 31.9% anaysts ignore alerts. https://bit.ly/3MyE9fA (2017)

  7. Automated incident response (2017). https://bit.ly/3hPm3Ia

  8. New research from advanced threat analytics finds MSSP incident responders overwhelmed by false-positive security alerts (2018). https://prn.to/37hqsS9

  9. Destructive attack “dustman” (2019). https://bit.ly/3tHX7YC

  10. Dramatic reductions in alert fatigue with crowdscore (2019). https://bit.ly/3IZD9is

  11. Tc engagement-5 (2019). https://github.com/darpa-i2o/Transparent-Computing

  12. Optc dataset (2020). https://github.com/FiveDirections/OpTC-data

  13. Groups (2021). https://attack.mitre.org/groups/

  14. Lateral movement (2021). https://bit.ly/3t63ru1

  15. Lateral tool transfer (2021). https://attack.mitre.org/techniques/T1570/

  16. What makes lateral movement so hard to detect? (2021). https://bit.ly/3hUl0qg

  17. Antonakakis, M., et al.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: 21st \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\)) (2012)

    Google Scholar 

  18. Bai, Y., Ding, H., Bian, S., Chen, T., Sun, Y., Wang, W.: SimGNN: a neural network approach to fast graph similarity computation. In: Proceedings of the Twelfth ACM International Conference on Web Search and Data Mining, pp. 384–392 (2019)

    Google Scholar 

  19. Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., Kruegel, C.: Disclosure: detecting botnet command and control servers through large-scale netflow analysis. In: Proceedings of the 28th Annual Computer Security Applications Conference (2012)

    Google Scholar 

  20. Bowman, B., Laprade, C., Ji, Y., Huang, H.H.: Detecting lateral movement in enterprise computer networks with unsupervised graph \(\{\)AI\(\}\). In: 23rd International Symposium on Research in Attacks, Intrusions and Defenses. RAID (2020)

    Google Scholar 

  21. Broder, A.Z., Charikar, M., Frieze, A.M., Mitzenmacher, M.: Min-wise independent permutations. J. Comput. Syst. Sci. 60(3), 630–659 (2000)

    Article  MathSciNet  MATH  Google Scholar 

  22. Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: Proceedings 2002 IEEE Symposium on Security and Privacy (2002)

    Google Scholar 

  23. Emmons, S., Kobourov, S., Gallant, M., Börner, K.: Analysis of network clustering algorithms and cluster quality metrics at scale. PLoS One 11(7), e0159161 (2016)

    Article  Google Scholar 

  24. Gallagher, B.: Matching structure and semantics: a survey on graph-based pattern matching. In: AAAI Fall Symposium: Capturing and Using Patterns for Evidence Detection, pp. 45–53 (2006)

    Google Scholar 

  25. Hajizadeh, M., Phan, T.V., Bauschert, T.: Probability analysis of successful cyber attacks in SDN-based networks. In: 2018 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN), pp. 1–6. IEEE (2018)

    Google Scholar 

  26. Hassan, W.U., Bates, A., Marino, D.: Tactical provenance analysis for endpoint detection and response systems. In: 2020 IEEE Symposium on Security and Privacy (2020)

    Google Scholar 

  27. Hassan, W.U., et al.: NoDoze: combatting threat alert fatigue with automated provenance triage. In: Network and Distributed Systems Security Symposium (2019)

    Google Scholar 

  28. Hossain, M.N., Sheikhi, S., Sekar, R.: Combating dependence explosion in forensic analysis using alternative tag propagation semantics. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 1139–1155. IEEE (2020)

    Google Scholar 

  29. Jeh, G., Widom, J.: Simrank: A measure of structural-context similarity. In: Proceedings of the Eighth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 538–543 (2002). https://bit.ly/3HXbqgQ

  30. Ji, Y., et al.: Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking. In: 27th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 18) (2018)

    Google Scholar 

  31. Joachims, T.: Text categorization with support vector machines: learning with many relevant features. In: Nédellec, C., Rouveirol, C. (eds.) ECML 1998. LNCS, vol. 1398, pp. 137–142. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0026683

    Chapter  Google Scholar 

  32. Joachims, T.: A probabilistic analysis of the Rocchio algorithm with TFIDF for text categorization. Technical report, Carnegie-Mellon Univ., Pittsburgh, PA, Dept. of CS (1996)

    Google Scholar 

  33. Ketchen, D.J., Shook, C.L.: The application of cluster analysis in strategic management research: an analysis and critique. Strateg. Manag. J. 17, 441–458 (1996)

    Google Scholar 

  34. King, D.: Spotting the signs of lateral movement (2018). https://splk.it/3vTiQ2C

  35. King, S.T., Chen, P.M.: Backtracking intrusions. In: SOSP. ACM (2003)

    Google Scholar 

  36. Koutra, D., Vogelstein, J.T., Faloutsos, C.: DeltaCon: a principled massive-graph similarity function. In: Proceedings of the 2013 SIAM International Conference on Data Mining. SIAM (2013)

    Google Scholar 

  37. Krishnan, S., Snow, K.Z., Monrose, F.: Trail of bytes: efficient support for forensic analysis. In: Proceedings of the 17th ACM CCS, pp. 50–60 (2010)

    Google Scholar 

  38. Kruegel, C., Valeur, F., Vigna, G.: Intrusion Detection and Correlation: Challenges and Solutions, vol. 14. Springer, New York (2004). https://doi.org/10.1007/b101493

  39. Lee, K.H., Zhang, X., Xu, D.: LogGC: garbage collecting audit log. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (2013)

    Google Scholar 

  40. Liu, H., Singh, P.: ConceptNet-a practical commonsense reasoning tool-kit. BT Technol. J. 22(4), 211–226 (2004)

    Article  Google Scholar 

  41. Liu, Y., et al.: Towards a timely causality analysis for enterprise security. In: NDSS (2018)

    Google Scholar 

  42. McKay, B.D., Piperno, A.: Practical graph isomorphism, II. J. Symb. Comput. 60, 94–112 (2014)

    Article  MathSciNet  MATH  Google Scholar 

  43. Mikolov, T., Chen, K., Corrado, G., Dean, J.: Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781 (2013)

  44. Milajerdi, S.M., Eshete, B., Gjomemo, R., Venkatakrishnan, V.: Poirot: aligning attack behavior with kernel audit records for cyber threat hunting. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (2019)

    Google Scholar 

  45. Milajerdi, S.M., Gjomemo, R., Eshete, B., Sekar, R., Venkatakrishnan, V.: Holmes: real-time apt detection through correlation of suspicious information flows. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1137–1152. IEEE (2019)

    Google Scholar 

  46. Niwattanakul, S., Singthongchai, J., Naenudorn, E., Wanapu, S.: Using of Jaccard coefficient for keywords similarity. In: Proceedings of the International Multiconference of Engineers and Computer Scientists, vol. 1, pp. 380–384 (2013)

    Google Scholar 

  47. Oprea, A., Li, Z., Yen, T.F., Chin, S.H., Alrwais, S.: Detection of early-stage enterprise infection by mining large-scale log data. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 45–56. IEEE

    Google Scholar 

  48. Pei, K., et al.: Hercule: attack story reconstruction via community discovery on correlated log graph. In: Proceedings of the 32nd ACSAC, pp. 583–595 (2016)

    Google Scholar 

  49. Romero-Gomez, R., Nadji, Y., Antonakakis, M.: Towards designing effective visualizations for DNS-based network threat analysis. In: 2017 IEEE Symposium on Visualization for Cyber Security (VizSec), pp. 1–8. IEEE (2017)

    Google Scholar 

  50. Sadoddin, R., Ghorbani, A.: Alert correlation survey: framework and techniques. In: Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, pp. 1–10 (2006)

    Google Scholar 

  51. Sahabandu, D., Xiao, B., Clark, A., Lee, S., Lee, W., Poovendran, R.: Dift games: dynamic information flow tracking games for advanced persistent threats. In: 2018 IEEE Conference on Decision and Control (CDC), pp. 1136–1143. IEEE (2018)

    Google Scholar 

  52. Satvat, K., Gjomemo, R., Venkatakrishnan, V.: Extractor: extracting attack behavior from threat reports. In: 2021 IEEE European Symposium on Security and Privacy (EuroS P), pp. 598–615 (2021)

    Google Scholar 

  53. Shrivastava, A., Li, P.: In defense of MinHash over SimHash. In: Artificial Intelligence and Statistics, pp. 886–894. PMLR (2014)

    Google Scholar 

  54. Sun, X., Dai, J., Liu, P., Singhal, A., Yen, J.: Using Bayesian networks for probabilistic identification of zero-day attack paths. IEEE Tran. Inf. Forensics Secur. 13, 2506–2521 (2018)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Illinois Chicago, Chicago, IL, USA

    Sutanu Kumar Ghosh, Kiavash Satvat, Rigel Gjomemo & V. N. Venkatakrishnan

Authors
  1. Sutanu Kumar Ghosh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Kiavash Satvat
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rigel Gjomemo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. V. N. Venkatakrishnan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sutanu Kumar Ghosh .

Editor information

Editors and Affiliations

  1. Indian Institute of Technology Tirupati, Tirupati, India

    Venkata Ramana Badarla

  2. CSIRO Data61, Sydney, NSW, Australia

    Surya Nepal

  3. Indian Institute of Technology Bombay, Mumbai, Maharashtra, India

    Rudrapatna K. Shyamasundar

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ghosh, S.K., Satvat, K., Gjomemo, R., Venkatakrishnan, V.N. (2022). Ostinato: Cross-host Attack Correlation Through Attack Activity Similarity Detection. In: Badarla, V.R., Nepal, S., Shyamasundar, R.K. (eds) Information Systems Security. ICISS 2022. Lecture Notes in Computer Science, vol 13784. Springer, Cham. https://doi.org/10.1007/978-3-031-23690-7_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-23690-7_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-23689-1

  • Online ISBN: 978-3-031-23690-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation