UBC Theses and Dissertations

UBC Theses Logo

UBC Theses and Dissertations

Building a practical provenance-based intrusion detection and reporting system Liang, Jinyuan

Abstract

In computer systems, provenance graphs describe causal relationships among operating system entities (e.g., processes, files, and sockets) to represent a system's execution history. Provenance-based Intrusion Detection Systems analyze these graphs to identify malicious execution patterns. Despite advances in Provenance-based Intrusion Detection Systems, measurements of detection performance often neglect the quality of detection reports. Prior work either generates coarse-grained alerts or generates fine-grained alerts (e.g., node-level alerts indicating which nodes are suspicious in a graph) with many false positives. This results in security analysts grappling with overwhelming and often irrelevant data, leading to alert fatigue and frequent burnout. To address this issue, we present a node-level detector, PROVNET. Given a provenance graph, PROVNET detects abnormal nodes and generates node-level alerts using a temporal graph autoencoder framework. Subsequently, PROVNET correlates the alerts to mitigate false positives. Based on correlation results, PROVNET then reconstructs the attack subgraphs and generates the detection report to help security analysts investigate the attack execution flow. PROVNET is evaluated against state-of-the-art systems on publicly available datasets, focusing on detection and run-time performance, and robustness. The evaluation results show that PROVNET achieves competitive detection performance compared with other state-of-the-art systems. In addition, the evaluation results demonstrate that PROVNET can perform detection at run-time with low latency, and showcase its robustness against state-of-the-art provenance-based evasion attacks.

Item Media

Item Citations and Data

Rights

Attribution-NonCommercial-NoDerivatives 4.0 International