Go to DBLP homepagePG-AID: An Anomaly-based Intrusion Detection Method Using Provenance Graph
Abstract: Intrusion detection is a technique used to identify malicious activities that occur in an organization’s information system, and plays a vital role for security of collaborative systems. Provenance graphs, constructed from system-level audit logs, can capture the complex relations between system entities and associate activities across the entire system, thus provide rich contextual information for intrusion detection. As a result, multiple intrusion detection methods leverage provenance graphs to detect stealthy and persistent malicious activities, known as provenancebased intrusion detection systems (PIDS). However, existing PIDS cannot detect malicious activities with fine granularity without prior knowledge of attack patterns. In this paper, we propose PG-AID, an anomaly-based intrusion detection method using provenance graph. PG-AID first converts system-level audit logs into provenance graph data, which are separated into temporal-ordered snapshots. Then to isolate intrusion-related activities, critaical paths in the snapshot are extracted, which are subsequently aggregated to get the snapshot embedding. By modeling the temporal relationships between normal snapshots, PG-AID detects abnormal graphs that exhibits different temporal relations. Finally, critical paths in the abnormal graphs are presented as intrusion indicators. We use DARPA’s (Defense Advanced Research Projects Agency) Transparent Computing (TC) datasets to evaluate PG-AID’s performance. The results show that PG-AID can effectively detect intrusions and provide detailed information about intrusions with low memory utilization.
Loading