NODLINK: An Online System for Fine-Grained APT Attack Detection and Investigation
Shaofei Li
Network and Distributed System Security (NDSS) Symposium 2024 · Day 3 · Network & DDoS
Advanced Persistent Threats (**APT** attacks) pose a significant and costly challenge to modern enterprises, often characterized by their multi-stage, stealthy, and complex nature. Traditional Endpoint Detection and Response (**EDR**) systems frequently fall short in detecting these sophisticated threats because they struggle to reconstruct the intricate causal relationships between disparate attack steps. While **provenance graphs**, which model system entities and their dependencies, have emerged as a powerful tool to bridge this gap, most existing provenance analysis systems are designed for **post-mortem analysis**, leading to detection delays that can extend up to a week. Such delays are financially crippling, with studies indicating potential losses of approximately $32,000 per day an attacker remains undetected within a network.