- Library Home /
- Search Collections /
- Open Collections /
- Browse Collections /
- UBC Theses and Dissertations /
- Building a practical provenance-based intrusion detection...
Open Collections
UBC Theses and Dissertations
UBC Theses and Dissertations
Building a practical provenance-based intrusion detection and reporting system Liang, Jinyuan
Abstract
In computer systems, provenance graphs describe causal relationships among operating system entities (e.g., processes, files, and sockets) to represent a system's execution history. Provenance-based Intrusion Detection Systems analyze these graphs to identify malicious execution patterns. Despite advances in Provenance-based Intrusion Detection Systems, measurements of detection performance often neglect the quality of detection reports. Prior work either generates coarse-grained alerts or generates fine-grained alerts (e.g., node-level alerts indicating which nodes are suspicious in a graph) with many false positives. This results in security analysts grappling with overwhelming and often irrelevant data, leading to alert fatigue and frequent burnout. To address this issue, we present a node-level detector, PROVNET. Given a provenance graph, PROVNET detects abnormal nodes and generates node-level alerts using a temporal graph autoencoder framework. Subsequently, PROVNET correlates the alerts to mitigate false positives. Based on correlation results, PROVNET then reconstructs the attack subgraphs and generates the detection report to help security analysts investigate the attack execution flow. PROVNET is evaluated against state-of-the-art systems on publicly available datasets, focusing on detection and run-time performance, and robustness. The evaluation results show that PROVNET achieves competitive detection performance compared with other state-of-the-art systems. In addition, the evaluation results demonstrate that PROVNET can perform detection at run-time with low latency, and showcase its robustness against state-of-the-art provenance-based evasion attacks.
Item Metadata
Title |
Building a practical provenance-based intrusion detection and reporting system
|
Creator | |
Supervisor | |
Publisher |
University of British Columbia
|
Date Issued |
2024
|
Description |
In computer systems, provenance graphs describe causal relationships among operating system entities (e.g., processes, files, and sockets) to represent a system's execution history. Provenance-based Intrusion Detection Systems analyze these graphs to identify malicious execution patterns. Despite advances in Provenance-based Intrusion Detection Systems, measurements of detection performance often neglect the quality of detection reports. Prior work either generates coarse-grained alerts or generates fine-grained alerts (e.g., node-level alerts indicating which nodes are suspicious in a graph) with many false positives. This results in security analysts grappling with overwhelming and often irrelevant data, leading to alert fatigue and frequent burnout. To address this issue, we present a node-level detector, PROVNET. Given a provenance graph, PROVNET detects abnormal nodes and generates node-level alerts using a temporal graph autoencoder framework. Subsequently, PROVNET correlates the alerts to mitigate false positives. Based on correlation results, PROVNET then reconstructs the attack subgraphs and generates the detection report to help security analysts investigate the attack execution flow. PROVNET is evaluated against state-of-the-art systems on publicly available datasets, focusing on detection and run-time performance, and robustness. The evaluation results show that PROVNET achieves competitive detection performance compared with other state-of-the-art systems. In addition, the evaluation results demonstrate that PROVNET can perform detection at run-time with low latency, and showcase its robustness against state-of-the-art provenance-based evasion attacks.
|
Genre | |
Type | |
Language |
eng
|
Date Available |
2024-04-18
|
Provider |
Vancouver : University of British Columbia Library
|
Rights |
Attribution-NonCommercial-NoDerivatives 4.0 International
|
DOI |
10.14288/1.0441425
|
URI | |
Degree | |
Program | |
Affiliation | |
Degree Grantor |
University of British Columbia
|
Graduation Date |
2024-05
|
Campus | |
Scholarly Level |
Graduate
|
Rights URI | |
Aggregated Source Repository |
DSpace
|
Item Media
Item Citations and Data
Rights
Attribution-NonCommercial-NoDerivatives 4.0 International