NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage

Hassan, Wajih Ul; Guo, Shengjian; Li, Ding; Chen, Zhengzhang; Jee, Kangkook; Li, Zhichun; Bates, Adam

doi:10.14722/ndss.2019.23349

Cited by 162 publications

(151 citation statements)

References 35 publications

(50 reference statements)

Supporting

Mentioning

120

Contrasting

Order By: Relevance

“…It connects causally-related events in the graph, even when those events are separated by a long time period. Thus, even though systems under APT attack usually behave similarly to unattacked systems, the richer contextual information in provenance allows for better separation of benign and malicious events [55].…”

Section: Introductionmentioning

confidence: 99%

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Han¹,

Pasquier²,

Bates³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

Self Cite

134

111

View full text Add to dashboard Cite

Advanced Persistent Threats (APTs) are difficult to detect due to their "low-and-slow" attack patterns and frequent use of zero-day exploits. We present UNICORN, an anomalybased APT detector that effectively leverages data provenance analysis. From modeling to detection, UNICORN tailors its design specifically for the unique characteristics of APTs. Through extensive yet time-efficient graph analysis, UNICORN explores provenance graphs that provide rich contextual and historical information to identify stealthy anomalous activities without predefined attack signatures. Using a graph sketching technique, it summarizes long-running system execution with space efficiency to combat slow-acting attacks that take place over a long time span. UNICORN further improves its detection capability using a novel modeling approach to understand long-term behavior as the system evolves. Our evaluation shows that UNICORN outperforms an existing state-of-the-art APT detection system and detects reallife APT scenarios with high accuracy.

show abstract

Section: Introductionmentioning

confidence: 99%

Unicorn: Runtime Provenance-Based Detector for Advanced Persistent Threats

Han¹,

Pasquier²,

Bates³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

Self Cite

134

111

View full text Add to dashboard Cite

show abstract

“…We make the following assumptions about our system. Similar with existing provenance-based systems [56], [73], [30], [74], [89], [55], we assume the underlying OS and the provenance tracker are in our trusted computing base (TCB). We assume the attacker cannot manipulate or delete the provenance record, i.e., log integrity is maintained at all time.…”

Section: Threat Model and Assumptionsmentioning

confidence: 99%

“…System Entity and System Event. Similar with [56], [39], [43], we consider the following three types of system entities: processes, files and network connections (i.e., sockets). A system event e = (src, dst, rel, time) models the interaction between two system entities, where src is the source entity, dst is the destination entity, rel is the relation between them (e.g., a process writes a file), and time is the timestamp when the event happened.…”

Section: A Definitionsmentioning

confidence: 99%

“…Kernel-level (i.e., OS-level) provenance analysis [63], [30], [56], [73], [55] is a practical solution that is widely adopted in real-world enterprises to pervasively monitor and protect their systems. Even when a malware could hijack a benign process with its malicious logic, it still leaves traces in the provenance data.…”

Section: Introductionmentioning

confidence: 99%

“…To address the first challenge, PROVDETECTOR breaks provenance graphs into causal paths and uses the causal paths as the basic components for detection ( §V-C).The insight of this decision is that the actions of stealthy malware have logical connections and causal dependencies [60], [56]. By using causal paths as detection components, PROVDETECTOR can isolate the benign part of the provenance graph from the malicious part.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis

Wang¹,

Hassan²,

Ding³

et al. 2020

Proceedings 2020 Network and Distributed System Security Symposium

Self Cite

108

View full text Add to dashboard Cite

To subvert recent advances in perimeter and host security, the attacker community has developed and employed various attack vectors to make a malware much stealthier than before to penetrate the target system and prolong its presence. Such advanced malware or "stealthy malware" makes use of various techniques to impersonate or abuse benign applications and legitimate system tools to minimize its footprints in the target system. It is thus difficult for traditional detection tools, such as malware scanners, to detect it, as the malware normally does not expose its malicious payload in a file and hides its malicious behaviors among the benign behaviors of the processes. In this paper, we present PROVDETECTOR, a provenancebased approach for detecting stealthy malware. Our insight behind the PROVDETECTOR approach is that although a stealthy malware attempts to blend into benign processes, its malicious behaviors inevitably interact with the underlying operating system (OS), which will be exposed to and captured by provenance monitoring. Based on this intuition, PROVDETECTOR first employs a novel selection algorithm to identify possibly malicious parts in the OS-level provenance data of a process. It then applies a neural embedding and machine learning pipeline to automatically detect any behavior that deviates significantly from normal behaviors. We evaluate our approach on a large provenance dataset from an enterprise network and demonstrate that it achieves very high detection performance of stealthy malware (an average F1 score of 0.974). Further, we conduct thorough interpretability studies to understand the internals of the learned machine learning models.

show abstract