Attack Effect Model based Malicious Behavior Detection
Abstract
Traditional security detection methods face three key challenges: inadequate data collection that misses critical security events, resource-intensive monitoring systems, and poor detection algorithms with high false positive rates. We present FEAD (Focus-Enhanced Attack Detection), a framework that addresses these issues through three innovations: (1) an attack model-driven approach that extracts security-critical monitoring items from online attack reports for comprehensive coverage; (2) efficient task decomposition that optimally distributes monitoring across existing collectors to minimize overhead; and (3) locality-aware anomaly analysis that leverages the clustering behavior of malicious activities in provenance graphs to improve detection accuracy. Evaluations demonstrate FEAD achieves 8.23% higher F1-score than existing solutions with only 5.4% overhead, confirming that focus-based designs significantly enhance detection performance.
Cite
@article{arxiv.2506.05001,
title = {Attack Effect Model based Malicious Behavior Detection},
author = {Limin Wang and Lei Bu and Muzimiao Zhang and Shihong Cang and Kai Ye},
journal= {arXiv preprint arXiv:2506.05001},
year = {2025}
}