Kairos: Practical Intrusion Detection and Investigation using Whole-system Provenance

• URL: http://arxiv.org/abs/2308.05034v3
• Date: Thu, 28 Sep 2023 03:02:57 GMT
• Title: Kairos: Practical Intrusion Detection and Investigation using Whole-system Provenance
• Authors: Zijun Cheng, Qiujian Lv, Jinyuan Liang, Yan Wang, Degang Sun, Thomas Pasquier, Xueyuan Han
• Abstract summary: Provenance graphs are structured audit logs that describe the history of a system's execution. We identify four common dimensions that drive the development of provenance-based intrusion detection systems (PIDSes) We present KAIROS, the first PIDS that simultaneously satisfies the desiderata in all four dimensions.
• Score: 4.101641763092759
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Provenance graphs are structured audit logs that describe the history of a system's execution. Recent studies have explored a variety of techniques to analyze provenance graphs for automated host intrusion detection, focusing particularly on advanced persistent threats. Sifting through their design documents, we identify four common dimensions that drive the development of provenance-based intrusion detection systems (PIDSes): scope (can PIDSes detect modern attacks that infiltrate across application boundaries?), attack agnosticity (can PIDSes detect novel attacks without a priori knowledge of attack characteristics?), timeliness (can PIDSes efficiently monitor host systems as they run?), and attack reconstruction (can PIDSes distill attack activity from large provenance graphs so that sysadmins can easily understand and quickly respond to system intrusion?). We present KAIROS, the first PIDS that simultaneously satisfies the desiderata in all four dimensions, whereas existing approaches sacrifice at least one and struggle to achieve comparable detection performance. Kairos leverages a novel graph neural network-based encoder-decoder architecture that learns the temporal evolution of a provenance graph's structural changes to quantify the degree of anomalousness for each system event. Then, based on this fine-grained information, Kairos reconstructs attack footprints, generating compact summary graphs that accurately describe malicious activity over a stream of system audit logs. Using state-of-the-art benchmark datasets, we demonstrate that Kairos outperforms previous approaches.

Related papers

• Time-Aware Face Anti-Spoofing with Rotation Invariant Local Binary Patterns and Deep Learning [50.79277723970418]
  imitation attacks can lead to erroneous identification and subsequent authentication of attackers. Similar to face recognition, imitation attacks can also be detected with Machine Learning. We propose a novel approach that promises high classification accuracy by combining previously unused features with time-aware deep learning strategies.
  arXiv  Detail & Related papers  (2024-08-27T07:26:10Z)
• Effective In-vehicle Intrusion Detection via Multi-view Statistical Graph Learning on CAN Messages [9.04771951523525]
  In-vehicle network (IVN) is facing a wide variety of complex and changing external cyber-attacks. Only coarse-grained recognition can be achieved in current mainstream intrusion detection mechanisms. We propose StatGraph: an Effective Multi-view Statistical Graph Learning Intrusion Detection.
  arXiv  Detail & Related papers  (2023-11-13T03:49:55Z)
• NODLINK: An Online System for Fine-Grained APT Attack Detection and Investigation [15.803901489811318]
  NodLink is the first online detection system that maintains high detection accuracy without sacrificing detection granularity. We propose a novel design of in-memory cache, an efficient attack screening method, and a new approximation algorithm that is more efficient than the conventional one in APT attack detection.
  arXiv  Detail & Related papers  (2023-11-04T05:36:59Z)
• Prov2vec: Learning Provenance Graph Representation for Unsupervised APT Detection [2.07180164747172]
  It is necessary to detect Advanced Persistent Threats as early in the campaign as possible. This paper proposes, Prov2Vec, a system for the continuous monitoring of enterprise host's behavior to detect attackers' activities.
  arXiv  Detail & Related papers  (2023-10-02T01:38:13Z)
• The Adversarial Implications of Variable-Time Inference [47.44631666803983]
  We present an approach that exploits a novel side channel in which the adversary simply measures the execution time of the algorithm used to post-process the predictions of the ML model under attack. We investigate leakage from the non-maximum suppression (NMS) algorithm, which plays a crucial role in the operation of object detectors. We demonstrate attacks against the YOLOv3 detector, leveraging the timing leakage to successfully evade object detection using adversarial examples, and perform dataset inference.
  arXiv  Detail & Related papers  (2023-09-05T11:53:17Z)
• Disentangled Causal Graph Learning for Online Unsupervised Root Cause Analysis [49.910053255238566]
  Root cause analysis (RCA) can identify the root causes of system faults/failures by analyzing system monitoring data. Previous research has mostly focused on developing offline RCA algorithms, which often require manually initiating the RCA process. We propose CORAL, a novel online RCA framework that can automatically trigger the RCA process and incrementally update the RCA model.
  arXiv  Detail & Related papers  (2023-05-18T01:27:48Z)
• Novelty Detection in Network Traffic: Using Survival Analysis for Feature Identification [1.933681537640272]
  Intrusion Detection Systems are an important component of many organizations' cyber defense and resiliency strategies. One downside of these systems is their reliance on known attack signatures for detection of malicious network events. We introduce an unconventional approach to identifying network traffic features that influence novelty detection based on survival analysis techniques.
  arXiv  Detail & Related papers  (2023-01-16T01:40:29Z)
• Early Detection of Network Attacks Using Deep Learning [0.0]
  A network intrusion detection system (IDS) is a tool used for identifying unauthorized and malicious behavior by observing the network traffic. We propose an end-to-end early intrusion detection system to prevent network attacks before they could cause any more damage to the system under attack.
  arXiv  Detail & Related papers  (2022-01-27T16:35:37Z)
• No Need to Know Physics: Resilience of Process-based Model-free Anomaly Detection for Industrial Control Systems [95.54151664013011]
  We present a novel framework to generate adversarial spoofing signals that violate physical properties of the system. We analyze four anomaly detectors published at top security conferences.
  arXiv  Detail & Related papers  (2020-12-07T11:02:44Z)
• Bayesian Optimization with Machine Learning Algorithms Towards Anomaly Detection [66.05992706105224]
  In this paper, an effective anomaly detection framework is proposed utilizing Bayesian Optimization technique. The performance of the considered algorithms is evaluated using the ISCX 2012 dataset. Experimental results show the effectiveness of the proposed framework in term of accuracy rate, precision, low-false alarm rate, and recall.
  arXiv  Detail & Related papers  (2020-08-05T19:29:35Z)
• Graph Backdoor [53.70971502299977]
  We present GTA, the first backdoor attack on graph neural networks (GNNs) GTA departs in significant ways: it defines triggers as specific subgraphs, including both topological structures and descriptive features. It can be instantiated for both transductive (e.g., node classification) and inductive (e.g., graph classification) tasks.
  arXiv  Detail & Related papers  (2020-06-21T19:45:30Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.