Embedded Files
Abstract—Traditional security detection methods struggle to keep pace with the rapidly evolving landscape of cyber threats targeting critical infrastructure and sensitive data. These approaches suffer from three critical limitations: non-security-oriented system activity data collection that fails to capture crucial security events, growing security monitoring demands that lead to continuously expanding monitoring systems, thereby causing excessive resource consumption, and inadequate detection algorithms that result in the inability to accurately distinguish between malicious and benign activities, resulting in high false positive rates.
To address these challenges, we present FEAD (Focus-Enhanced Attack Detection), an attack detection framework that improves detection by focusing on identifying and supplementing security-critical monitoring items and deploying them efficiently during data collection, as well as the locality of potential anomalous entities and their surrounding neighbors during anomaly analysis. FEAD incorporates three key innovations:
(1) an attack model-driven approach that extracts security-critical monitoring items from online attack reports, enabling a more comprehensive monitoring items framework; (2) an efficient task decomposition mechanism that optimally distributes monitoring tasks across existing collectors, maximizing the utilization of available monitoring resources while minimizing additional monitoring overhead; (3) a locality-aware anomaly analysis technique that exploits the characteristic of malicious activities forming dense clusters in provenance graphs during active attack phases, guiding a vertex-level weight mechanism in our detection algorithm to better distinguish between anomalous and benign vertices, thereby improving detection accuracy and reducing false positives.
Evaluations show FEAD outperforms existing solutions with an 8.23% higher F1-score and 5.4% overhead. Our ablation study also confirms that FEAD’s focus-based designs significantly boost detection performance.
Figure 1. Workflow of FEAD
On this website, we explain our FEAD in three main parts:
How We Collect Attack Reports: We begin by detailing our comprehensive approach to gathering attack reports. This includes our diverse collection sources for attack reports and the MITRE ATT&CK Techniques. We then present our collected and filtered attack reports along with ATT&CK Techniques (Attack Reports Collection).
Real-World Attack Monitoring Items Recognition: The second part focuses on our systematic approach to identifying monitoring items through complete Chain of Thought (CoT) prompting. We demonstrate this process through concrete examples, showing how we analyze attack patterns to derive actionable monitoring items. We also present the final set of monitoring items that emerged from our analysis, providing a practical monitoring items framework for security monitoring (CoT Prompt and Obtained Security Monitor Items).
Implementation Details: The final section covers three key components of our implementation:
Data/Log Collection and Processing: Our comprehensive approach to gathering and preprocessing security-related data and logs
Attack Provenance Graph Construction: Methods for parsing and transforming the collected data into attack provenance graphs for better attack visualization and analysis
Locality-Based Analysis: Implementation of our locality-based anomaly detection algorithms
All source code and detailed documentation are available in our open-source repository at https://github.com/FEAD-Tools/FEAD.
Page updated
Google Sites
Report abuse