/Simulated-Data

Primary LanguagePythonOtherNOASSERTION

[NDSS 2024] NODLINK: An Online System for Fine-Grained APT Attack Detection and Investigation

This is an implementation of NodLink and the public Simulated datasets described in NDSS 2024 paper: NODLINK: An Online System for Fine-Grained APT Attack Detection and Investigation.

Simulated-Data

We carried out 5 attacks on three different hosts. The attack description and annotation are listed in the doc folder.

Simulate on Ubuntu

We carried out an attack on Ubuntu 20.04.

image

SimulatedUbuntu.zip
$\qquad$ - hw17.zip
$\qquad\qquad$ - benign.json
$\qquad\qquad$ - anomaly.json

Simulate on Windows server 2012

We carried out an attack on Windows server 2012. image

SimulatedWS12.zip
$\qquad$ - hw20.zip
$\qquad\qquad$ - benign.json
$\qquad\qquad$ - anomaly.json

Simulate on Windows 10

We carried out three attacks on Windows 10.

APT29

image

Sidewinder

image

FIN6

image

SimulatedW10.zip
$\qquad$ - win10.zip
$\qquad\qquad$ - benign.json
$\qquad\qquad$ - anomaly.json

NodLink

The prototype of NodLink is in the src directory. The README.md in it describes how to run our tool.

ProvDetector

The prototype of our reimplementation of ProvDetector that is described in paper You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis.

Citations

If you use any of our tools or datasets in your research for publication, please kindly cite the following paper:

NODLINK: An Online System for Fine-Grained APT Attack Detection and Investigation

Feedback

Should you have any questions, please post to [the issue page](Issues · Nodlink/Simulated-Data (github.com)), or email Shaofei Li via lishaofei@pku.edu.cn.

Acknowledgments

We would like to thank the anonymous reviewers for their valuable feedback and suggestions.