threaTrace: Detecting and Tracing Host-based Threats in Node Level Through Provenance Graph Learning

11/08/2021
by   Su Wang, et al.
0

Host-based threats such as Program Attack, Malware Implantation, and Advanced Persistent Threats (APT), are commonly adopted by modern attackers. Recent studies propose leveraging the rich contextual information in data provenance to detect threats in a host. Data provenance is a directed acyclic graph constructed from system audit data. Nodes in a provenance graph represent system entities (e.g., processes and files) and edges represent system calls in the direction of information flow. However, previous studies, which extract features of the whole provenance graph, are not sensitive to the small number of threat-related entities and thus result in low performance when hunting stealthy threats. We present threaTrace, an anomaly-based detector that detects host-based threats at system entity level without prior knowledge of attack patterns. We tailor GraphSAGE, an inductive graph neural network, to learn every benign entity's role in a provenance graph. threaTrace is a real-time system, which is scalable of monitoring a long-term running host and capable of detecting host-based intrusion in their early phase. We evaluate threaTrace on three public datasets. The results show that threaTrace outperforms three state-of-the-art host intrusion detection systems.

READ FULL TEXT

page 1

page 11

research
08/09/2023

Kairos: Practical Intrusion Detection and Investigation using Whole-system Provenance

Provenance graphs are structured audit logs that describe the history of...
research
01/06/2020

UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats

Advanced Persistent Threats (APTs) are difficult to detect due to their ...
research
05/08/2019

Convolutional Neural Network for Intrusion Detection System In Cyber Physical Systems

The extensive use of Information and Communication Technology in critica...
research
04/06/2023

TBDetector:Transformer-Based Detector for Advanced Persistent Threats with Provenance Graph

APT detection is difficult to detect due to the long-term latency, cover...
research
08/10/2022

Collaborative Feature Maps of Networks and Hosts for AI-driven Intrusion Detection

Intrusion Detection Systems (IDS) are critical security mechanisms that ...
research
02/11/2020

zeek-osquery: Host-Network Correlation for Advanced Monitoring and Intrusion Detection

Intrusion Detection Systems (IDSs) can analyze network traffic for signs...
research
02/01/2018

Anomaly Detection in Log Data using Graph Databases and Machine Learning to Defend Advanced Persistent Threats

Advanced Persistent Threats (APTs) are a main impendence in cyber securi...

Please sign up or login with your details

Forgot password? Click here to reset