MPCA: Constructing the APTs provenance graphs through multi-perspective confidence and association

The forensic analysis of Advanced Persistent Threats (APTs) attacks is crucial for maintaining cybersecurity. To address the challenges posed by the high complexity and strong concealment of APT attacks, provenance graph based on inter entity dependencies are used for forensic investigation. However, under long-term persistent attacks, entities with semantically consistent behavior patterns become excessively redundant, leading to an explosion of inter entity dependencies and a decrease in forensic efficiency. In addition, the implicit relationships within and between events are not fully represented, and alarm information spreads to neighboring benign events, making it difficult to accurately reconstruct attack scenario. In this paper, we propose an APT attack attribution method MPCA that combines multi-perspective confidence and association. Firstly, by merging parallel branches with semantically consistent behavior patterns in the process connected subgraph, redundant entities and their dependencies are reduced. Secondly, event confidence is estimated to exclude benign events, the association between events and alarms is analyzed to highlight attack events. Experimental results demonstrate that MPCA achieves state-of-the-art performance. MPCA can improve the efficiency of constructing attack scenario graphs, reduce false positive and false negative rates, and demonstrate greater adaptability in attack attribution tasks.