In recent years, fileless attacks have attracted significant attention due to their unique stealthiness and high detection difficulty, gradually becoming a prevalent attack type. Current research on fileless attack detection is mainly limited by issues such as sample imbalance and extreme scarcity of abnormal behavior data, which lead to frequent misclassifications and persistently high false positive rates. This situation severely restricts provenance analysis. Specifically, the presence of numerous false alarms in detection results causes the generated provenance graphs to contain excessive redundant edges or irrelevant nodes, thereby obscuring the true attack paths and preventing a clear depiction of the attack chain. To address these challenges, this paper proposes a fileless attack provenance framework integrating Generative Adversarial Networks (GAN). Leveraging the unique ability of GAN to generate novel data, the framework enhances the model’s capability to recognize anomalous behaviors. By analyzing command-line interactions within system logs, the framework efficiently detects fileless malicious attacks and generates alerts, which are then used for provenance analysis to reconstruct the attack paths. To verify the effectiveness of the proposed method, experiments were conducted across multiple fileless attack scenarios. Provenance analysis was performed using graph neural networks and systematically compared with multi-feature methods and label propagation algorithms, providing a comprehensive evaluation of each method’s provenance performance.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

A GAN-Integrated Framework For Fileless Attack Provenance

  • Jian Jiao,
  • XiaoRan Ding,
  • SheCun Xu

摘要

In recent years, fileless attacks have attracted significant attention due to their unique stealthiness and high detection difficulty, gradually becoming a prevalent attack type. Current research on fileless attack detection is mainly limited by issues such as sample imbalance and extreme scarcity of abnormal behavior data, which lead to frequent misclassifications and persistently high false positive rates. This situation severely restricts provenance analysis. Specifically, the presence of numerous false alarms in detection results causes the generated provenance graphs to contain excessive redundant edges or irrelevant nodes, thereby obscuring the true attack paths and preventing a clear depiction of the attack chain. To address these challenges, this paper proposes a fileless attack provenance framework integrating Generative Adversarial Networks (GAN). Leveraging the unique ability of GAN to generate novel data, the framework enhances the model’s capability to recognize anomalous behaviors. By analyzing command-line interactions within system logs, the framework efficiently detects fileless malicious attacks and generates alerts, which are then used for provenance analysis to reconstruct the attack paths. To verify the effectiveness of the proposed method, experiments were conducted across multiple fileless attack scenarios. Provenance analysis was performed using graph neural networks and systematically compared with multi-feature methods and label propagation algorithms, providing a comprehensive evaluation of each method’s provenance performance.