Research Article
LogKernel: A Threat Hunting Approach Based on Behaviour Provenance Graph and Graph Kernel Clustering
Algorithm 1
Graph abstraction algorithm.
| | Input: OS-level logs | | | Output: Behavior Dependency Graphs | | (1) | Logs ← READLOGS (OS-level logs) | | (2) | Processes ← LONGRUNNINGPROCESS (OS-level logs) | | (3) | for all log in Logs do | | (4) | Type = GETNODETYPE (log) | | (5) | NodeAttributei = GETTYPENODE (log) | | (6) | NodeList.append (NodeAttributei) | | (7) | end for | | (8) | ProvenanceGraph = GENERATEGRAPH (NodeList) | | (9) | V, LV ← GETNODE (NodeAttribute) | | (10) | E, LE ← GETEDGE (NodeAttribute) | | (11) | BehaviorGraphs = SPLITGRAPH (ProvenanceGraph, Processes) | | (12) | Density ← CALCULATEDESITY (Processes) | | (13) | Units ← PARTITION (Density) | | (14) | return BehaviorGraphs |
|
