MART: Targeted attack detection on a compromised network

Targeted attacks are a significant problem for governmental agencies and corporations. We propose a MinHash-based, targeted attack detection system which analyzes aggregated process creation events typically generated by human keyboard input. We start with a set of malicious process creation events, and their parameters, which are typically generated by an attacker remotely controlling computers on a network. The MinHash algorithm allows the system to efficiently process hundreds of millions of events each day. We propose the weighted squared match similarity score for targeted attack detection which is more robust to mimicry and NOOP attacks than the weighted Jaccard index. We demonstrate that the system can detect several confirmed targeted attacks on both a small dataset of 1,473 computers as well as a large network of over 230 thousand computers. In the first case, the proposed system detects a similar, but separate attack while in the latter, intrusion activity is detected at large-scale.