Search for: All records

Advanced Persistent Threats (APT) attacks have plagued modern enterprises, causing significant financial losses. To counter these attacks, researchers propose techniques that capture the complex and stealthy scenarios of APT attacks by using provenance graphs to model system entities and their dependencies. Particularly, to accelerate attack detection and reduce financial losses, online provenance-based detection systems that detect and investigate APT attacks under the constraints of timeliness and limited resources are in dire need. Unfortunately, existing online systems usually sacrifice detection granularity to reduce computational complexity and produce provenance graphs with more than 100,000 nodes, posing challenges for security admins to interpret the detection results. In this paper, we design and implement NODLINK, the first online detection system that maintains high detection accuracy without sacrificing detection granularity. Our insight is that the APT attack detection process in online provenance-based detection systems can be modeled as a Steiner Tree Problem (STP), which has efficient online approximation algorithms that recover concise attack-related provenance graphs with a theoretically bounded error. To utilize the frameworks of the STP approximation algorithm for APT attack detection, we propose a novel design of in-memory cache, an efficient attack screening method, and a new STP approximation algorithm that is more efficient than the conventional one in APT attack detection while maintaining the same complexity. We evaluate NODLINK in a production environment. The openworld experiment shows that NODLINK outperforms two state-ofthe- art (SOTA) online provenance analysis systems by achieving magnitudes higher detection and investigation accuracy while having the same or higher throughput. 

Abstract Microbial strains with high genomic stability are particularly sought after for testing the quality of commercial microbiological products, such as biological media and antibiotics. Yet, using mutation–accumulation experiments and de novo assembled complete genomes based on Nanopore long-read sequencing, we find that the widely used quality-control strain Shewanella putrefaciens ATCC-8071, also a facultative pathogen, is a hypermutator, with a base-pair substitution mutation rate of 2.42 × 10−8 per nucleotide site per cell division, ∼146-fold greater than that of the wild-type strain CGMCC-1.6515. Using complementation experiments, we confirm that mutL dysfunction, which was a recent evolutionary event, is the cause for the high mutation rate of ATCC-8071. Further analyses also give insight into possible relationships between mutation and genome evolution in this important bacterium. This discovery of a well-known strain being a hypermutator necessitates screening the mutation rate of bacterial strains before any quality control or experiments.