SCAHunter: Scalable Threat Hunting Through Decentralized Hierarchical Monitoring Agent Architecture

Mohiuddin Ahmed; Jinpeng Wei; Ehab Al-Shaer

doi:10.1007/978-3-031-37963-5_88

SCAHunter: Scalable Threat Hunting Through Decentralized Hierarchical Monitoring Agent Architecture

Mohiuddin Ahmed^*, Jinpeng Wei, Ehab Al-Shaer

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

1 Scopus citations

Abstract

This paper presents a scalable, dynamic, flexible, and non-intrusive monitoring architecture for threat hunting. The agent architecture detects attack techniques at the agent level, classifies composite and primitive events, and disseminates seen attack techniques or subscribed event information to the upper-level agent or manager. The proposed solution offers improvement over existing approaches for threat hunting by supporting hierarchical event filtering-based monitoring, which improves monitoring scalability. It reduces memory requirement and communication overhead while maintaining the same accuracy of threat hunting in state-of-the-art centralized approaches. We provide a distributed hierarchical agent architecture and an approximation algorithm for near-optimal agent hierarchy generation. We also evaluated the proposed system across three simulated attack use cases built using the MITRE ATT &CK framework and DARPA OpTC attack dataset. The evaluation shows that our proposed approach reduces communication overhead by 43% to 64% and memory usage by 45% to 60% compared with centralized threat hunting approaches.

Original language	English
Title of host publication	Intelligent Computing - Proceedings of the 2023 Computing Conference
Editors	Kohei Arai
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	1282-1307
Number of pages	26
ISBN (Print)	9783031379628
DOIs	https://doi.org/10.1007/978-3-031-37963-5_88
State	Published - 2023
Externally published	Yes
Event	Proceedings of the Computing Conference 2023 - London, United Kingdom Duration: 22 Jun 2023 → 23 Jun 2023

Publication series

Name	Lecture Notes in Networks and Systems
Volume	739 LNNS
ISSN (Print)	2367-3370
ISSN (Electronic)	2367-3389

Conference

Conference	Proceedings of the Computing Conference 2023
Country/Territory	United Kingdom
City	London
Period	22/06/23 → 23/06/23

Bibliographical note

Publisher Copyright:
© 2023, The Author(s), under exclusive license to Springer Nature Switzerland AG.

Keywords

Hierarchical Event Monitoring
Intrusion Detection
Threat Hunting

ASJC Scopus subject areas

Control and Systems Engineering
Signal Processing
Computer Networks and Communications

Access to Document

10.1007/978-3-031-37963-5_88

Cite this

Ahmed, M., Wei, J., & Al-Shaer, E. (2023). SCAHunter: Scalable Threat Hunting Through Decentralized Hierarchical Monitoring Agent Architecture. In K. Arai (Ed.), Intelligent Computing - Proceedings of the 2023 Computing Conference (pp. 1282-1307). (Lecture Notes in Networks and Systems; Vol. 739 LNNS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-37963-5_88

@inproceedings{80c33281cd0f4fb6862e75207edb1cf6,

title = "SCAHunter: Scalable Threat Hunting Through Decentralized Hierarchical Monitoring Agent Architecture",

abstract = "This paper presents a scalable, dynamic, flexible, and non-intrusive monitoring architecture for threat hunting. The agent architecture detects attack techniques at the agent level, classifies composite and primitive events, and disseminates seen attack techniques or subscribed event information to the upper-level agent or manager. The proposed solution offers improvement over existing approaches for threat hunting by supporting hierarchical event filtering-based monitoring, which improves monitoring scalability. It reduces memory requirement and communication overhead while maintaining the same accuracy of threat hunting in state-of-the-art centralized approaches. We provide a distributed hierarchical agent architecture and an approximation algorithm for near-optimal agent hierarchy generation. We also evaluated the proposed system across three simulated attack use cases built using the MITRE ATT \&CK framework and DARPA OpTC attack dataset. The evaluation shows that our proposed approach reduces communication overhead by 43\% to 64\% and memory usage by 45\% to 60\% compared with centralized threat hunting approaches.",

keywords = "Hierarchical Event Monitoring, Intrusion Detection, Threat Hunting",

author = "Mohiuddin Ahmed and Jinpeng Wei and Ehab Al-Shaer",

note = "Publisher Copyright: {\textcopyright} 2023, The Author(s), under exclusive license to Springer Nature Switzerland AG.; Proceedings of the Computing Conference 2023 ; Conference date: 22-06-2023 Through 23-06-2023",

year = "2023",

doi = "10.1007/978-3-031-37963-5\_88",

language = "English",

isbn = "9783031379628",

series = "Lecture Notes in Networks and Systems",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "1282--1307",

editor = "Kohei Arai",

booktitle = "Intelligent Computing - Proceedings of the 2023 Computing Conference",

address = "Germany",

}

Ahmed, M, Wei, J & Al-Shaer, E 2023, SCAHunter: Scalable Threat Hunting Through Decentralized Hierarchical Monitoring Agent Architecture. in K Arai (ed.), Intelligent Computing - Proceedings of the 2023 Computing Conference. Lecture Notes in Networks and Systems, vol. 739 LNNS, Springer Science and Business Media Deutschland GmbH, pp. 1282-1307, Proceedings of the Computing Conference 2023, London, United Kingdom, 22/06/23. https://doi.org/10.1007/978-3-031-37963-5_88

SCAHunter: Scalable Threat Hunting Through Decentralized Hierarchical Monitoring Agent Architecture. / Ahmed, Mohiuddin; Wei, Jinpeng; Al-Shaer, Ehab.
Intelligent Computing - Proceedings of the 2023 Computing Conference. ed. / Kohei Arai. Springer Science and Business Media Deutschland GmbH, 2023. p. 1282-1307 (Lecture Notes in Networks and Systems; Vol. 739 LNNS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - SCAHunter

T2 - Proceedings of the Computing Conference 2023

AU - Ahmed, Mohiuddin

AU - Wei, Jinpeng

AU - Al-Shaer, Ehab

PY - 2023

Y1 - 2023

N2 - This paper presents a scalable, dynamic, flexible, and non-intrusive monitoring architecture for threat hunting. The agent architecture detects attack techniques at the agent level, classifies composite and primitive events, and disseminates seen attack techniques or subscribed event information to the upper-level agent or manager. The proposed solution offers improvement over existing approaches for threat hunting by supporting hierarchical event filtering-based monitoring, which improves monitoring scalability. It reduces memory requirement and communication overhead while maintaining the same accuracy of threat hunting in state-of-the-art centralized approaches. We provide a distributed hierarchical agent architecture and an approximation algorithm for near-optimal agent hierarchy generation. We also evaluated the proposed system across three simulated attack use cases built using the MITRE ATT &CK framework and DARPA OpTC attack dataset. The evaluation shows that our proposed approach reduces communication overhead by 43% to 64% and memory usage by 45% to 60% compared with centralized threat hunting approaches.

AB - This paper presents a scalable, dynamic, flexible, and non-intrusive monitoring architecture for threat hunting. The agent architecture detects attack techniques at the agent level, classifies composite and primitive events, and disseminates seen attack techniques or subscribed event information to the upper-level agent or manager. The proposed solution offers improvement over existing approaches for threat hunting by supporting hierarchical event filtering-based monitoring, which improves monitoring scalability. It reduces memory requirement and communication overhead while maintaining the same accuracy of threat hunting in state-of-the-art centralized approaches. We provide a distributed hierarchical agent architecture and an approximation algorithm for near-optimal agent hierarchy generation. We also evaluated the proposed system across three simulated attack use cases built using the MITRE ATT &CK framework and DARPA OpTC attack dataset. The evaluation shows that our proposed approach reduces communication overhead by 43% to 64% and memory usage by 45% to 60% compared with centralized threat hunting approaches.

KW - Hierarchical Event Monitoring

KW - Intrusion Detection

KW - Threat Hunting

UR - https://www.scopus.com/pages/publications/85172285385

U2 - 10.1007/978-3-031-37963-5_88

DO - 10.1007/978-3-031-37963-5_88

M3 - Conference contribution

AN - SCOPUS:85172285385

SN - 9783031379628

T3 - Lecture Notes in Networks and Systems

SP - 1282

EP - 1307

BT - Intelligent Computing - Proceedings of the 2023 Computing Conference

A2 - Arai, Kohei

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 22 June 2023 through 23 June 2023

ER -

SCAHunter: Scalable Threat Hunting Through Decentralized Hierarchical Monitoring Agent Architecture

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this