GHunter: A Fast Subgraph Matching Method for Threat Hunting.

Threat hunting is the process of proactively searching for known attack behavior in an organization’s information system. A popular approach to threat hunting uses cyber threat intelligence (CTI) to identify advanced persistent threats (APTs) that are hidden in kernel-level audit logs (e.g., whole-system data provenance). However, existing threat hunting mechanisms can-not produce timely results due to the enormous size of provenance data. As a result, threat hunting cannot help sysadmins to quickly recognize an ongoing APT campaign and immediately block any subsequent attack activity. In this paper, we propose GHunter, a system that performs approximate subgraph matching using graph neural networks (GNNs) to quickly and accurately hunt APTs. GHunter first converts known APT scenarios and provenance logs into graph data. Then, GHunter uses GNNs to embed APT scenario graphs and provenance graphs to discover any subgraph relationships. If an APT scenario graph is a subgraph of a provenance graph, GHunter alerts to sysadmins the presence of the corresponding APT scenario in the system. We use DARPA’s Transparent Computing (TC) datasets to evaluate GHunter’s performance. The results show that GHunter achieves 97% accuracy when hunting APTs from millions of provenance log entries and spends 195x less execution time than prior work.