TY - GEN
T1 - MuSAR
T2 - 28th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2025
AU - Liu, Yang
AU - Xu, Zisen
AU - Luo, Zian
AU - Shang, Jin'Ao
AU - Zhang, Shilong
AU - Zhang, Haichuan
AU - Liu, Ting
N1 - Publisher Copyright:
© 2025 IEEE.
PY - 2025
Y1 - 2025
N2 - Multi-step attacks challenge security analysts in reconstructing attack sequences from extensive multi-host log data. Existing attack reconstruction approaches rely heavily on computationally intensive audit logs and provenance analysis, limiting their practicality in multi-host environments. We present MuSAR, a framework for real-time reconstruction of multi-step attacks in multi-host environments using lightweight security logs (network alarms and application logs). First, security logs are consolidated into inter-host and intra-host security events through semantic analysis, respectively. Then, these security events are mapped to unified attack lifecycle stages through MITRE ATTACK framework integration. Finally, a heuristic algorithm is implemented to identify potential multi-step attacks and reconstruct complete attack sequences based on event-level semantic associations. Evaluation on the CPTC2018 dataset and a multi-step attack simulation dataset demonstrates MuSAR's effectiveness in identifying attack-related traces and reconstructing multi-step attacks, achieving an average recall of 93.48% and F1-score of 94.39%, respectively, outperforming state-of-the-art methods in attack investigation and reconstruction in multi-host environments.
AB - Multi-step attacks challenge security analysts in reconstructing attack sequences from extensive multi-host log data. Existing attack reconstruction approaches rely heavily on computationally intensive audit logs and provenance analysis, limiting their practicality in multi-host environments. We present MuSAR, a framework for real-time reconstruction of multi-step attacks in multi-host environments using lightweight security logs (network alarms and application logs). First, security logs are consolidated into inter-host and intra-host security events through semantic analysis, respectively. Then, these security events are mapped to unified attack lifecycle stages through MITRE ATTACK framework integration. Finally, a heuristic algorithm is implemented to identify potential multi-step attacks and reconstruct complete attack sequences based on event-level semantic associations. Evaluation on the CPTC2018 dataset and a multi-step attack simulation dataset demonstrates MuSAR's effectiveness in identifying attack-related traces and reconstructing multi-step attacks, achieving an average recall of 93.48% and F1-score of 94.39%, respectively, outperforming state-of-the-art methods in attack investigation and reconstruction in multi-host environments.
KW - Attack Reconstruction
KW - Event-level Semantic Association
KW - Lightweight Security Logs
KW - Semantic Alignment
UR - https://www.scopus.com/pages/publications/105033689046
U2 - 10.1109/RAID67961.2025.00038
DO - 10.1109/RAID67961.2025.00038
M3 - 会议稿件
AN - SCOPUS:105033689046
T3 - Proceedings - 28th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2025
SP - 329
EP - 348
BT - Proceedings - 28th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2025
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 19 October 2025 through 22 October 2025
ER -