Conference paper

DUPIN: Attack Learning Is Still Needed! Demonstrating Few-Shot after Unsupervised Pretraining Is A Nimble Forensics Learner

Abstract

Advanced persistent threats (APTs) pose a significant challenge in cybersecurity, involving staged and prolonged operations that often remain undetected until postmortem indicators, such as sabotage or financial loss, emerge. In consequence, human analysts are facing a needle-in-a-haystack challenge among vast accumulation of daily audit logs. However, leveraging a learning system for attack forensics is limited due to the scarcity of attack data, as attacks occur infrequently. In addition, since malicious behaviors are usually embedded in massive benign ones, they are very hard to label by humans. Thus, the recent approaches leverage self-supervised learning methods, where models rely solely on benign data and perform outlier detection. However, these methods struggle with the increasing complexity and dynamics of large-scale audit logs, often resulting in non-trivial false positives. Therefore, we propose a novel approach to learning-based attack forensics called DUPIN. First, DUPIN performs unsupervised pre-training on an enormous amount of audit events in the form of provenance graphs. It then proceeds to a few-shot learning stage, leveraging a small number of labeled attack examples to fine-tune its detection capabilities. We pretrain DUPIN on up to 10-12 days of audit logs (7.3TB total) and evaluate it against various baselines on 25 APT campaigns across four different data sources, facilitating the scalable evaluation.