Unifying intrusion detection and forensic analysis via provenance awareness

Xie, Yulai; Feng, Dan; Tan, Zhijia; Zhou, Junzhe

doi:10.1016/j.future.2016.02.005

Cited by 26 publications

(13 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Jiang et al [39] used process coloring approach to identify the intrusion entry point and then use taint propagation approach to reduce log entries. Xie et al [66] used high-level dependency information to detect malicious behaviour. However, this system only considered one event at a time without malicious behaviour propagation i.e.…”

Section: Related Workmentioning

confidence: 99%

NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage

Hassan

Guo

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

145

120

View full text Add to dashboard Cite

Large enterprises are increasingly relying on threat detection softwares (e.g., Intrusion Detection Systems) to allow them to spot suspicious activities. These softwares generate alerts which must be investigated by cyber analysts to figure out if they are true attacks. Unfortunately, in practice, there are more alerts than cyber analysts can properly investigate. This leads to a "threat alert fatigue" or information overload problem where cyber analysts miss true attack alerts in the noise of false alarms.

show abstract

Section: Related Workmentioning

confidence: 99%

NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage

Hassan

Guo

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

145

120

View full text Add to dashboard Cite

show abstract

“…As provenance is adopted in several domains (e.g., search, experimental document and security), various provenance processing systems have been developed, such as PASS [ 32 ], SPADE [ 33 ], Hi-Fi [ 34 ], and LPM [ 35 ]. Based on PASS and PIDAS [ 36 ] (a previous IDS developed by the same authors), Pagoda recognises intrusions by calculating the anomaly degree of not a single provenance path but also of the overall graph. In particular, its operation consists of three main steps.…”

Section: Related Work and Contributionsmentioning

confidence: 99%

ARIES: A Novel Multivariate Intrusion Detection System for Smart Grid

Radoglou-Grammatikis

Sarigiannidis

Efstathopoulos³

et al. 2020

Sensors

View full text Add to dashboard Cite

The advent of the Smart Grid (SG) raises severe cybersecurity risks that can lead to devastating consequences. In this paper, we present a novel anomaly-based Intrusion Detection System (IDS), called ARIES (smArt gRid Intrusion dEtection System), which is capable of protecting efficiently SG communications. ARIES combines three detection layers that are devoted to recognising possible cyberattacks and anomalies against (a) network flows, (b) Modbus/Transmission Control Protocol (TCP) packets and (c) operational data. Each detection layer relies on a Machine Learning (ML) model trained using data originating from a power plant. In particular, the first layer (network flow-based detection) performs a supervised multiclass classification, recognising Denial of Service (DoS), brute force attacks, port scanning attacks and bots. The second layer (packet-based detection) detects possible anomalies related to the Modbus packets, while the third layer (operational data based detection) monitors and identifies anomalies upon operational data (i.e., time series electricity measurements). By emphasising on the third layer, the ARIES Generative Adversarial Network (ARIES GAN) with novel error minimisation functions was developed, considering mainly the reconstruction difference. Moreover, a novel reformed conditional input was suggested, consisting of random noise and the signal features at any given time instance. Based on the evaluation analysis, the proposed GAN network overcomes the efficacy of conventional ML methods in terms of Accuracy and the F1 score.

show abstract

“…(1) Data is collected by the LPM-enabled kernel and sent to a central location via a message bus (ActiveMQ) by a daemon running on each LPM node. (2) The data is translated from LPM events Each LPM event generates a single node and edge that must be encoded and stored in Accumulo. We rely on D4M [8] to encode the nodes and edges of the provenance graph.…”

Section: Designmentioning

confidence: 99%

“…Data provenance provides a history of the data as it is processed. This history has a variety of uses, including protecting against malicious changes [1], and detecting attacks that occur on the system [2]. Many of the use cases for provenance require collection of large volumes of information, such as from whole-system provenance collectors, e.g.…”

Section: Introductionmentioning

confidence: 99%

High-throughput ingest of data provenance records into Accumulo

Moyer

Gadepally

2016

2016 IEEE High Performance Extreme Computing Conference (HPEC)

View full text Add to dashboard Cite

Whole-system data provenance provides deep insight into the processing of data on a system, including detecting data integrity attacks. The downside to systems that collect whole-system data provenance is the sheer volume of data that is generated under many heavy workloads. In order to make provenance metadata useful, it must be stored somewhere where it can be queried. This problem becomes even more challenging when considering a network of provenance-aware machines all collecting this metadata. In this paper, we investigate the use of D4M and Accumulo to support high-throughput data ingest of whole-system provenance data. We find that we are able to ingest 3,970 graph components per second. Centrally storing the provenance metadata allows us to build systems that can detect and respond to data integrity attacks that are captured by the provenance system.

show abstract

Unifying intrusion detection and forensic analysis via provenance awareness

Cited by 26 publications

References 32 publications

NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage

NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage

ARIES: A Novel Multivariate Intrusion Detection System for Smart Grid

High-throughput ingest of data provenance records into Accumulo

Contact Info

Product

Resources

About