AutoLabel: Automated Fine-Grained Log Labeling for Cyber Attack Dataset Generation

High-quality labeled log datasets are essential for log-based cyber-security research, such as anomaly detection and forensic analysis. However, such datasets are scarce and generally not publicly accessible. Existing methods for generating labeled log datasets have several limitations: they are labor-intensive, require specialized expertise, provide inadequate support for multi-source logs, and produce coarse-grained labels.

This paper presents AutoLabel, which automates fine-grained log labeling by reducing the labeling problem to obtaining an accurate attack subgraph in a provenance graph. It modifies the environment, applications, and attack tools to generate auxiliary information during attacks. Then, from the resulting audit logs, it builds a provenance graph and leverages the auxiliary information to correlate application and traffic logs with audit logs, identify key attack-related edges, refine the graph to mitigate dependency explosion, and ultimately extract an attack subgraph for precise labeling.

Experiments in 29 scenarios, including 25 real CVE vulnerabilities across 12 widely-used applications (spanning 5 programming languages) plus a Sandworm threat simulation by MITRE CTID, show that AutoLabel achieves 100% labeling accuracy, substantially reduces manual log-analysis effort, and produces labeled datasets in no more than 96 minutes per scenario. AutoLabel has generated over 580 datasets that could be served as benchmarks.