WATSON: Abstracting Behaviors from Audit Logs via Aggregation of Contextual Semantics

—Endpoint monitoring solutions are widely deployed in today’s enterprise environments to support advanced attack detection and investigation. These monitors continuously record system-level activities as audit logs and provide deep visibility into security incidents. Unfortunately, to recognize behaviors of interest and detect potential threats, cyber analysts face a semantic gap between low-level audit events and high-level system behaviors. To bridge this gap, existing work largely matches streams of audit logs against a knowledge base of rules that describe behaviors. However, specifying such rules heavily relies on expert knowledge. In this paper, we present W ATSON , an automated approach to abstracting behaviors by inferring and aggregating the semantics of audit events. W ATSON uncovers the semantics of events through their usage context in audit logs. By extracting behaviors as connected system operations, W ATSON then combines event semantics as the representation of behaviors. To reduce analysis workload, W ATSON further clusters semanti- cally similar behaviors and distinguishes the representatives for analyst investigation. In our evaluation against both benign and malicious behaviors, W ATSON exhibits high accuracy for behavior abstraction. Moreover, W ATSON can reduce analysis workload by two orders of magnitude for attack investigation.