Related papers: threaTrace: Detecting and Tracing Host-based Threats in Node Level Through Provenance Graph Learning

threaTrace: Detecting and Tracing Host-based Threats in Node Level Through Provenance Graph Learning

URL: http://arxiv.org/abs/2111.04333v1
Date: Mon, 8 Nov 2021 08:48:26 GMT
Title: threaTrace: Detecting and Tracing Host-based Threats in Node Level Through Provenance Graph Learning
Authors: Su Wang, Zhiliang Wang, Tao Zhou, Xia Yin, Dongqi Han, Han Zhang, Hongbin Sun, Xingang Shi, Jiahai Yang
Abstract summary: Recent studies propose leveraging the rich contextual information in data provenance to detect threats in a host. We present threaTrace, an anomaly-based detector that detects host-based threats at system entity level without prior knowledge of attack patterns.
Score: 29.48927285179188
License: http://creativecommons.org/licenses/by/4.0/
Abstract: Host-based threats such as Program Attack, Malware Implantation, and Advanced Persistent Threats (APT), are commonly adopted by modern attackers. Recent studies propose leveraging the rich contextual information in data provenance to detect threats in a host. Data provenance is a directed acyclic graph constructed from system audit data. Nodes in a provenance graph represent system entities (e.g., $processes$ and $files$) and edges represent system calls in the direction of information flow. However, previous studies, which extract features of the whole provenance graph, are not sensitive to the small number of threat-related entities and thus result in low performance when hunting stealthy threats. We present threaTrace, an anomaly-based detector that detects host-based threats at system entity level without prior knowledge of attack patterns. We tailor GraphSAGE, an inductive graph neural network, to learn every benign entity's role in a provenance graph. threaTrace is a real-time system, which is scalable of monitoring a long-term running host and capable of detecting host-based intrusion in their early phase. We evaluate threaTrace on three public datasets. The results show that threaTrace outperforms three state-of-the-art host intrusion detection systems.

Related papers

Multitask Active Learning for Graph Anomaly Detection [48.690169078479116]
We propose a novel MultItask acTIve Graph Anomaly deTEction framework, namely MITIGATE. By coupling node classification tasks, MITIGATE obtains the capability to detect out-of-distribution nodes without known anomalies. Empirical studies on four datasets demonstrate that MITIGATE significantly outperforms the state-of-the-art methods for anomaly detection.
arXiv Detail & Related papers (2024-01-24T03:43:45Z)
Few-shot Message-Enhanced Contrastive Learning for Graph Anomaly Detection [15.757864894708364]
Graph anomaly detection plays a crucial role in identifying exceptional instances in graph data that deviate significantly from the majority. We propose a novel few-shot Graph Anomaly Detection model called FMGAD. We show that FMGAD can achieve better performance than other state-of-the-art methods, regardless of artificially injected anomalies or domain-organic anomalies.
arXiv Detail & Related papers (2023-11-17T07:49:20Z)
Effective In-vehicle Intrusion Detection via Multi-view Statistical Graph Learning on CAN Messages [9.04771951523525]
In-vehicle network (IVN) is facing a wide variety of complex and changing external cyber-attacks. Only coarse-grained recognition can be achieved in current mainstream intrusion detection mechanisms. We propose StatGraph: an Effective Multi-view Statistical Graph Learning Intrusion Detection.
arXiv Detail & Related papers (2023-11-13T03:49:55Z)
Prov2vec: Learning Provenance Graph Representation for Unsupervised APT Detection [2.07180164747172]
It is necessary to detect Advanced Persistent Threats as early in the campaign as possible. This paper proposes, Prov2Vec, a system for the continuous monitoring of enterprise host's behavior to detect attackers' activities.
arXiv Detail & Related papers (2023-10-02T01:38:13Z)
Kairos: Practical Intrusion Detection and Investigation using Whole-system Provenance [4.101641763092759]
Provenance graphs are structured audit logs that describe the history of a system's execution. We identify four common dimensions that drive the development of provenance-based intrusion detection systems (PIDSes) We present KAIROS, the first PIDS that simultaneously satisfies the desiderata in all four dimensions.
arXiv Detail & Related papers (2023-08-09T16:04:55Z)
Model Inversion Attacks against Graph Neural Networks [65.35955643325038]
We study model inversion attacks against Graph Neural Networks (GNNs) In this paper, we present GraphMI to infer the private training graph data. Our experimental results show that such defenses are not sufficiently effective and call for more advanced defenses against privacy attacks.
arXiv Detail & Related papers (2022-09-16T09:13:43Z)
Deep Fraud Detection on Non-attributed Graph [61.636677596161235]
Graph Neural Networks (GNNs) have shown solid performance on fraud detection. labeled data is scarce in large-scale industrial problems, especially for fraud detection. We propose a novel graph pre-training strategy to leverage more unlabeled data.
arXiv Detail & Related papers (2021-10-04T03:42:09Z)
NF-GNN: Network Flow Graph Neural Networks for Malware Detection and Classification [11.624780336645006]
Malicious software (malware) poses an increasing threat to the security of communication systems. We present three variants of our base model, which all support malware detection and classification in supervised and unsupervised settings. Experiments on four different prediction tasks consistently demonstrate the advantages of our approach and show that our graph neural network model can boost detection performance by a significant margin.
arXiv Detail & Related papers (2021-03-05T20:54:38Z)
No Need to Know Physics: Resilience of Process-based Model-free Anomaly Detection for Industrial Control Systems [95.54151664013011]
We present a novel framework to generate adversarial spoofing signals that violate physical properties of the system. We analyze four anomaly detectors published at top security conferences.
arXiv Detail & Related papers (2020-12-07T11:02:44Z)
Graph Backdoor [53.70971502299977]
We present GTA, the first backdoor attack on graph neural networks (GNNs) GTA departs in significant ways: it defines triggers as specific subgraphs, including both topological structures and descriptive features. It can be instantiated for both transductive (e.g., node classification) and inductive (e.g., graph classification) tasks.
arXiv Detail & Related papers (2020-06-21T19:45:30Z)
Structural Temporal Graph Neural Networks for Anomaly Detection in Dynamic Graphs [54.13919050090926]
We propose an end-to-end structural temporal Graph Neural Network model for detecting anomalous edges in dynamic graphs. In particular, we first extract the $h$-hop enclosing subgraph centered on the target edge and propose the node labeling function to identify the role of each node in the subgraph. Based on the extracted features, we utilize Gated recurrent units (GRUs) to capture the temporal information for anomaly detection.
arXiv Detail & Related papers (2020-05-15T09:17:08Z)

This list is automatically generated from the titles and abstracts of the papers in this site.