Fast Memory-efficient Anomaly Detection in Streaming Heterogeneous Graphs

Manzoor, Emaad; Milajerdi, Sadegh M.; Akoglu, Leman

doi:10.1145/2939672.2939783

Cited by 144 publications

(109 citation statements)

References 36 publications

(50 reference statements)

Supporting

Mentioning

109

Contrasting

Order By: Relevance

“…Prior research [15], [83], [87] explored the use of data provenance for APT detection. However, these approaches all suffer from some combinations of the following limitations: L1 : Pre-defined edge-matching rules are overly sensitive and make it difficult to detect zero-day exploits common in APTs [87].…”

Section: Summary and Problem Statementmentioning

confidence: 99%

“…However, conventional clustering approaches fail to capture a system's evolutionary behavior [8]. APT scenarios are sufficiently long term that failing to capture this behavior leads to too many false positives [83]. UNICORN leverages its streaming capability to create evolutionary models that capture normal changes in system behavior.…”

Section: Learning Evolutionary Modelsmentioning

confidence: 99%

“…Crucially, it builds these evolutionary models during training, not during deployment. Systems that dynamically evolve models during deployment risk poisoning their models during an APT's drawn out attack phase [83].…”

Section: Learning Evolutionary Modelsmentioning

confidence: 99%

“…More recent work [15], [19], [83], [87] suggests that data provenance might be a better data source for APT detection. Data provenance represents system execution as a directed acyclic graph (DAG) that describes information flow between system subjects (e.g., processes) and objects (e.g., files and sockets).…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Han¹,

Pasquier²,

Bates³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

120

114

View full text Add to dashboard Cite

Advanced Persistent Threats (APTs) are difficult to detect due to their "low-and-slow" attack patterns and frequent use of zero-day exploits. We present UNICORN, an anomalybased APT detector that effectively leverages data provenance analysis. From modeling to detection, UNICORN tailors its design specifically for the unique characteristics of APTs. Through extensive yet time-efficient graph analysis, UNICORN explores provenance graphs that provide rich contextual and historical information to identify stealthy anomalous activities without predefined attack signatures. Using a graph sketching technique, it summarizes long-running system execution with space efficiency to combat slow-acting attacks that take place over a long time span. UNICORN further improves its detection capability using a novel modeling approach to understand long-term behavior as the system evolves. Our evaluation shows that UNICORN outperforms an existing state-of-the-art APT detection system and detects reallife APT scenarios with high accuracy.

show abstract

Section: Summary and Problem Statementmentioning

confidence: 99%

Section: Learning Evolutionary Modelsmentioning

confidence: 99%

Section: Learning Evolutionary Modelsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Han¹,

Pasquier²,

Bates³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

120

114

View full text Add to dashboard Cite

show abstract

“…[19][20][21][22] In addition, researchers have also developed methods of automating penetration testing and auditing. [19][20][21][22] In addition, researchers have also developed methods of automating penetration testing and auditing.…”

Section: Related Workmentioning

confidence: 99%

GraphBAD: A general technique for anomaly detection in security information and event management

Parkinson

Vallati

Crampton

et al. 2018

Concurrency and Computation

View full text Add to dashboard Cite

The reliance on expert knowledge-required for analysing security logs and performing security audits-has created an unhealthy balance, where many computer users are not able to correctly audit their security configurations and react to potential security threats. The decreasing cost of IT and the increasing use of technology in domestic life are exacerbating this problem, where small companies and home IT users are not able to afford the price of experts for auditing their system configuration. In this paper, we present GraphBAD, a graph-based analysis tool that is able to analyse security configurations in order to identify anomalies that could lead to potential security risks. GraphBAD, which does not require any prior domain knowledge, generates graph-based models from security configuration data and, by analysing such models, is able to propose mitigation plans that can help computer users in increasing the security of their systems. A large experimental analysis, conducted on both publicly available (the well-known KDD dataset) and synthetically generated testing sets (file system permissions), demonstrates the ability of GraphBAD in correctly identifying security configuration anomalies and suggesting appropriate mitigation plans. KEYWORDSanomaly detection, graph structure, log files, security auditing, SIEM INTRODUCTIONAuditing security configurations is the process of searching for anomalies that potentially expose a vulnerability of a considered system. The term Security Information and Event Management (SIEM) is often used to describe the process of monitoring audit logs and security configurations to identify vulnerabilities. Given the complexity of the task, there is a heavy reliance on expert knowledge, which is required for understanding the different security configurations. This reliance has two main drawbacks: first, expert knowledge can be incomplete or erroneous; second, the high cost of security experts makes it infeasible for many users to correctly configure the security of their Information Technology (IT) systems. Therefore, in many cases, unseen weaknesses, which can be exploited, will remain in the configuration. Clearly, auditing security configurations is a critical problem for organisations that significantly rely on their IT infrastructure for undertaking business. For this reason, many companies frequently employ a third party security auditing company to examine their IT infrastructure to identify weaknesses and suggest suitable mitigation plans (named as penetration testing 1,2 ). Although businesses are prepared to pay a premium for maintaining their security, the average home IT user or small companies are left to maintain their own IT security. Furthermore, the decreasing cost of IT and the increasing use of technology in domestic life are exacerbating this problem.These limitations are heightened by the following factors. (i) The complexity of computational infrastructure-the cyber-physical platform on which security is attained-is increasing, and the technological landscape i...

show abstract