{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,24]],"date-time":"2025-11-24T07:14:53Z","timestamp":1763968493788},"reference-count":43,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2022,6,1]],"date-time":"2022-06-01T00:00:00Z","timestamp":1654041600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2022,6,1]],"date-time":"2022-06-01T00:00:00Z","timestamp":1654041600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"Industrial Internet Innovation and Development Project","award":["TC200H030"],"award-info":[{"award-number":["TC200H030"]}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"published-print":{"date-parts":[[2022,12]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Hunting the advanced threats hidden in the enterprise networks has always been a complex and difficult task. Due to the variety of attacking means, it is difficult for traditional security systems to detect threats. Most existing methods analyze log records, but the amount of log records generated every day is very large. How to find the information related to the attack events quickly and effectively from massive data streams is an important problem. Considering that the knowledge graph can be used for automatic relation calculation and complex relation analysis, and can get relatively fast feedback, our work proposes to construct the knowledge graph based on kernel audit records, which fully considers the global correlation among entities observed in audit logs. We design the construction and application process of knowledge graph, which can be applied to actual threat hunting activities. Then we explore different ways to use the constructed knowledge graph for hunting actual threats in detail. Finally, we implement a LAN-wide hunting system which is convenient and flexible for security analysts. Evaluations based on the adversarial engagement designed by DARPA prove that our platform can effectively hunt sophisticated threats, quickly restore the attack path or assess the impact of attack.<\/jats:p>","DOI":"10.1186\/s42400-022-00111-2","type":"journal-article","created":{"date-parts":[[2022,6,1]],"date-time":"2022-06-01T02:02:46Z","timestamp":1654048966000},"update-policy":"http:\/\/dx.doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":10,"title":["A flexible approach for cyber threat hunting based on kernel audit records"],"prefix":"10.1186","volume":"5","author":[{"given":"Fengyu","family":"Yang","sequence":"first","affiliation":[]},{"given":"Yanni","family":"Han","sequence":"additional","affiliation":[]},{"given":"Ying","family":"Ding","sequence":"additional","affiliation":[]},{"given":"Qian","family":"Tan","sequence":"additional","affiliation":[]},{"given":"Zhen","family":"Xu","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2022,6,1]]},"reference":[{"key":"111_CR1","unstructured":"Belhajjame K (2013) PROV-DM: the PROV data model. https:\/\/www.w3.org\/TR\/prov-dm\/"},{"key":"111_CR2","unstructured":"Corporation TM (2015) APT&CK. https:\/\/attack.mitre.org"},{"key":"111_CR3","unstructured":"DavidJBianco: the threathuting project (2019). https:\/\/www.threathunting.net"},{"key":"111_CR4","unstructured":"Gao P, Xiao X, Li D, Li Z, Jee K, Wu Z, Kim CH, Kulkarni SR, Mittal P (2018) {SAQL}: a stream-based query system for real-time abnormal system behavior detection. In: 27th {USENIX} security symposium ({USENIX} security 18), pp 639\u2013656"},{"key":"111_CR5","unstructured":"Gao P, Xiao X, Li Z, Xu F, Kulkarni SR, Mittal P (2018) {AIQL}: enabling efficient attack investigation from system monitoring data. In: {USENIX} annual technical conference ({USENIX}{ATC} 18), pp 113\u2013126"},{"key":"111_CR6","doi-asserted-by":"crossref","unstructured":"Gehani A, Tariq D (2012) SPADE: support for provenance auditing in distributed environments. In: ACM\/IFIP\/USENIX international conference on distributed systems platforms and open distributed processing. Springer, pp 101\u2013120","DOI":"10.1007\/978-3-642-35170-9_6"},{"issue":"1","key":"111_CR7","doi-asserted-by":"publisher","first-page":"29","DOI":"10.3233\/AO-160163","volume":"11","author":"A Gr\u00e9gio","year":"2016","unstructured":"Gr\u00e9gio A, Bonacin R, de Marchi AC, Nabuco OF, de Geus PL (2016) An ontology of suspicious software behavior. Appl Ontol 11(1):29\u201349","journal-title":"Appl Ontol"},{"key":"111_CR8","doi-asserted-by":"crossref","unstructured":"Gr\u00e9gio A, Bonacin R, Nabuco O, Afonso VM, De\u00a0Geus PL, Jino M (2014) Ontology for malware behavior: a core model proposal. In: IEEE 23rd international WETICE conference. IEEE, pp 453\u2013458","DOI":"10.1109\/WETICE.2014.72"},{"key":"111_CR9","doi-asserted-by":"crossref","unstructured":"Han X, Pasquier T, Bates A, Mickens J, Seltzer M (2020) Unicorn: runtime provenance-based detector for advanced persistent threats. arXiv preprint. arXiv:2001.01525","DOI":"10.14722\/ndss.2020.24046"},{"key":"111_CR10","doi-asserted-by":"crossref","unstructured":"Hassan WU, Guo S, Li D, Chen Z, Jee K, Li Z, Bates A (2019) NODOZE: combatting threat alert fatigue with automated provenance triage. In: network and distributed systems security symposium","DOI":"10.14722\/ndss.2019.23349"},{"key":"111_CR11","doi-asserted-by":"crossref","unstructured":"Hassan WU, Noureddine MA, Datta P, Bates A (2020) OmegaLog: high-fidelity attack investigation via transparent multi-layer log analysis. In: Network and distributed system security symposium","DOI":"10.14722\/ndss.2020.24270"},{"key":"111_CR12","unstructured":"Hossain MN, Milajerdi SM, Wang J, Eshete B, Gjomemo R, Sekar R, Stoller S, Venkatakrishnan V (2017) {SLEUTH}: real-time attack scenario reconstruction from {COTS} audit data. In: 26th {USENIX} security symposium ({USENIX} security 17), pp 487\u2013504"},{"key":"111_CR13","unstructured":"Hossain MN, Wang J, Weisse O, Sekar R, Genkin D, He B, Stoller SD, Fang G, Piessens F, Downing E et\u00a0al (2018) Dependence-preserving data compaction for scalable forensic analysis. In: 27th {USENIX} security symposium ({USENIX} security 18), pp 1723\u20131740"},{"key":"111_CR14","doi-asserted-by":"crossref","unstructured":"Huang H-D, Chuang T-Y, Tsai Y-L, Lee C-S (2010) Ontology-based intelligent system for malware behavioral analysis. In: International conference on fuzzy systems. IEEE, pp 1\u20136","DOI":"10.1109\/FUZZY.2010.5584325"},{"key":"111_CR15","doi-asserted-by":"crossref","unstructured":"Ji Y, Lee S, Downing E, Wang W, Fazzini M, Kim T, Orso A, Lee W (2017) RAIN: refinable attack investigation with on-demand inter-process information flow tracking. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pp 377\u2013390","DOI":"10.1145\/3133956.3134045"},{"key":"111_CR16","unstructured":"Ji Y, Lee S, Fazzini M, Allen J, Downing E, Kim T, Orso A, Lee W (2018) Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking. In: 27th {USENIX} security symposium ({USENIX} security 18), pp 1705\u20131722"},{"key":"111_CR17","doi-asserted-by":"crossref","unstructured":"King ST, Chen PM (2003) Backtracking intrusions. In: Proceedings of the nineteenth ACM symposium on operating systems principles, pp 223\u2013236","DOI":"10.1145\/1165389.945467"},{"key":"111_CR18","doi-asserted-by":"crossref","unstructured":"Kwon Y, Wang F, Wang W, Lee KH, Lee W-C, Ma S, Zhang X, Xu D, Jha S, Ciocarlie GF et\u00a0al (2018) MCI: modeling-based causality inference in audit logging for attack investigation. In: NDSS","DOI":"10.14722\/ndss.2018.23306"},{"key":"111_CR19","unstructured":"Lee KH, Zhang X, Xu D (2013) High accuracy attack provenance via binary-based execution partition. In: NDSS, p 16"},{"key":"111_CR20","doi-asserted-by":"crossref","unstructured":"Lee KH, Zhang X, Xu D (2013) LogGC: garbage collecting audit log. In: Proceedings of the 2013 ACM SIGSAC conference on computer and communications security, pp 1005\u20131016","DOI":"10.1145\/2508859.2516731"},{"key":"111_CR21","doi-asserted-by":"crossref","unstructured":"Liu Y, Zhang M, Li D, Jee K, Li Z, Wu Z, Rhee J, Mittal P (2018) Towards a timely causality analysis for enterprise security. In: NDSS","DOI":"10.14722\/ndss.2018.23254"},{"key":"111_CR22","doi-asserted-by":"crossref","unstructured":"Mavroeidis V, Bromander S (2017) Cyber threat intelligence model: an evaluation of taxonomies, sharing standards, and ontologies within cyber threat intelligence. In: European intelligence and security informatics conference (EISIC). IEEE, pp 91\u201398","DOI":"10.1109\/EISIC.2017.20"},{"key":"111_CR23","doi-asserted-by":"crossref","unstructured":"Mavroeidis V, J\u00f8sang A (2018) Data-driven threat hunting using sysmon. In: Proceedings of the 2nd international conference on cryptography, security and privacy, pp 82\u201388","DOI":"10.1145\/3199478.3199490"},{"key":"111_CR24","unstructured":"Ma S, Zhai J, Wang F, Lee KH, Zhang X, Xu D (2017) {MPI}: multiple perspective attack investigation with semantic aware execution partitioning. In: 26th {USENIX} security symposium ({USENIX} security 17), pp 1111\u20131128"},{"key":"111_CR25","doi-asserted-by":"crossref","unstructured":"Ma S, Zhang X, Xu D (2016) ProTracer: towards practical provenance tracing by alternating between logging and tainting. In: NDSS","DOI":"10.14722\/ndss.2016.23350"},{"key":"111_CR26","doi-asserted-by":"crossref","unstructured":"Milajerdi SM, Eshete B, Gjomemo R, Venkatakrishnan V (2019) Poirot: aligning attack behavior with kernel audit records for cyber threat hunting. In: Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, pp 1795\u20131812","DOI":"10.1145\/3319535.3363217"},{"key":"111_CR27","doi-asserted-by":"crossref","unstructured":"Milajerdi SM, Gjomemo R, Eshete B, Sekar R, Venkatakrishnan V (2019) Holmes: real-time apt detection through correlation of suspicious information flows. In: IEEE symposium on security and privacy (SP). IEEE, pp 1137\u20131152","DOI":"10.1109\/SP.2019.00026"},{"key":"111_CR28","unstructured":"MITRE: CAR-2013-08-001: execution with schtasks (2013). https:\/\/car.mitre.org\/analytics\/CAR-2013-08-001\/"},{"key":"111_CR29","doi-asserted-by":"crossref","unstructured":"MITRE: CAR-2014-05-002: services launching Cmd (2014). https:\/\/car.mitre.org\/analytics\/CAR-2014-05-002\/","DOI":"10.1088\/1475-7516\/2014\/05\/002"},{"key":"111_CR30","unstructured":"MITRE: MITRE cyber analytics repository (2020). https:\/\/car.mitre.org"},{"key":"111_CR31","unstructured":"Obrst L, Chase P, Markeloff R (2012) Developing an ontology of the cyber security domain. In: STIDS, pp 49\u201356. Citeseer"},{"key":"111_CR32","unstructured":"Oltramari A, Cranor LF, Walls RJ, McDaniel PD (2014) Building an ontology of cyber security. In: STIDS, pp 54\u201361. Citeseer"},{"key":"111_CR33","unstructured":"Osquery-for-security (2021). https:\/\/medium.com\/@clong\/osquery-for-security-b66fffdf2daf"},{"key":"111_CR34","doi-asserted-by":"crossref","unstructured":"Pasquier T, Han X, Moyer T, Bates A, Hermant O, Eyers D, Bacon J, Seltzer M (2018) Runtime analysis of whole-system provenance. In: Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pp 1601\u20131616","DOI":"10.1145\/3243734.3243776"},{"key":"111_CR35","unstructured":"Patzke T (2017) SigmaHQ. https:\/\/github.com\/SigmaHQ\/sigma"},{"key":"111_CR36","unstructured":"Platform NGD (2021) Neo4j graph platform\u2014the leader in graph databases. https:\/\/neo4j.com\/"},{"key":"111_CR37","doi-asserted-by":"crossref","unstructured":"Shu X, Araujo F, Schales DL, Stoecklin MP, Jang J, Huang H, Rao JR (2018) Threat intelligence computing. In: Proceedings of the 2018 ACM SIGSAC conference on computer and communications security, pp 1883\u20131898","DOI":"10.1145\/3243734.3243829"},{"key":"111_CR38","unstructured":"Threatbook. https:\/\/x.threatbook.cn\/"},{"key":"111_CR39","unstructured":"ThreatMiner. https:\/\/www.threatminer.org\/"},{"key":"111_CR40","unstructured":"Torrey J (2020) Transparent-computing. https:\/\/github.com\/darpa-i2o\/Transparent-Computing"},{"key":"111_CR41","unstructured":"Virustotal (2020). https:\/\/www.virustotal.com\/gui\/"},{"key":"111_CR42","doi-asserted-by":"crossref","unstructured":"Xu Z, Wu Z, Li Z, Jee K, Rhee J, Xiao X, Xu F, Wang H, Jiang G (2016) High fidelity data reduction for big data security dependency analyses. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp 504\u2013516","DOI":"10.1145\/2976749.2978378"},{"key":"111_CR43","doi-asserted-by":"crossref","unstructured":"Yang R, Ma S, Xu H, Zhang X, Chen Y (2020) UIScope: accurate, instrumentation-free, and visible attack investigation for GUI applications. In: NDSS","DOI":"10.14722\/ndss.2020.24329"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-022-00111-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-022-00111-2\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-022-00111-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,6,1]],"date-time":"2022-06-01T02:05:16Z","timestamp":1654049116000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-022-00111-2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,6,1]]},"references-count":43,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2022,12]]}},"alternative-id":["111"],"URL":"https:\/\/doi.org\/10.1186\/s42400-022-00111-2","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,6,1]]},"assertion":[{"value":"27 September 2021","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"17 January 2022","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"1 June 2022","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"11"}}