KnowHow: Automatically Applying High-Level CTI Knowledge for Interpretable and Accurate Provenance Analysis

High-level natural language knowledge in Cyber Threat Intelligence (CTI) reports, such as the ATT&CK framework, is beneficial to counter Advanced Persistent Threat (APT) attacks. However, how to automatically apply the high-level knowledge in CTI reports in realistic attack detection systems, such as provenance analysis systems, is still an open problem. The challenge stems from the semantic gap between the knowledge and the low-level security logs: while the knowledge in CTI reports is written in natural language, attack detection systems can only process low-level system events like file accesses or network IP manipulations. Manual approaches can be laborintensive and error-prone. In this paper, we propose KNOWHOW, a CTI-knowledgedriven online provenance analysis approach that can automatically apply high-level attack knowledge from CTI reports written in natural languages to detect low-level system events. The core of KNOWHOW is a novel attack knowledge representation, General Indicator of Compromise (gIoC), that represents the subject, object, and actions of attacks. By lifting system identifiers, such as file paths, in system events to natural language terms, KNOWHOW can match system events to gIoCs and further match them to techniques described in natural languages. Finally, based on the techniques matched to system events, KNOWHOW reasons about the temporal logic of attack steps, detects potential APT attacks in system events, and generates the human-readable report for each alert. Our evaluation shows that KNOWHOW can accurately detect all 16 APT campaigns in the open-source and industrial datasets, while existing approaches all introduce large numbers of false positives. Meanwhile, our evaluation also shows that KNOWHOW reduces at most 90% of node-level false positives while having a higher node-level recall and is robust against several unknown attacks and mimicry attacks.