可理解的网络威胁多模式检测框架(CS)

企业环境中恶意活动的检测是一项非常复杂的任务，人们对其自动化的研究投入了大量的精力。然而，绝大多数现有的方法只能在一个狭窄的范围内操作，这限制了它们只能捕获恶意软件存在的证据的碎片。因此，这种方法与领域专家研究和描述网络威胁的方式不一致。在这项工作中，我们讨论了这些限制，并设计了一个检测框架，该框架结合了来自不同数据源的观察事件。由于这一点，它提供了对攻击生命周期的全面了解，并支持对威胁的检测，这些威胁需要将来自不同遥测的观察结合起来，以确定事件的全部范围。我们通过一个在公司网络中观察到的真实恶意软件感染的案例研究证明了该框架的适用性。

原文题目：A framework for comprehensible multi-modal detection of cyber threats

原文：Detection of malicious activities in corporate environments is a very complex task and much effort has been invested into research of its automation. However, vast majority of existing methods operate only in a narrow scope which limits them to capture only fragments of the evidence of malware's presence. Consequently, such approach is not aligned with the way how the cyber threats are studied and described by domain experts. In this work, we discuss these limitations and design a detection framework which combines observed events from different sources of data. Thanks to this, it provides full insight into the attack life cycle and enables detection of threats that require this coupling of observations from different telemetries to identify the full scope of the incident. We demonstrate applicability of the framework on a case study of a real malware infection observed in a corporate network.