Guardado en:
Detalles Bibliográficos
Autores principales: Wang, Su, Wang, Zhiliang, Zhou, Tao, Yin, Xia, Han, Dongqi, Zhang, Han, Sun, Hongbin, Shi, Xingang, Yang, Jiahai
Formato: Preprint
Publicado: 2021
Materias:
Acceso en línea:https://arxiv.org/abs/2111.04333
Etiquetas: Agregar Etiqueta
Sin Etiquetas, Sea el primero en etiquetar este registro!
_version_ 1866915223988862976
author Wang, Su
Wang, Zhiliang
Zhou, Tao
Yin, Xia
Han, Dongqi
Zhang, Han
Sun, Hongbin
Shi, Xingang
Yang, Jiahai
author_facet Wang, Su
Wang, Zhiliang
Zhou, Tao
Yin, Xia
Han, Dongqi
Zhang, Han
Sun, Hongbin
Shi, Xingang
Yang, Jiahai
contents Host-based threats such as Program Attack, Malware Implantation, and Advanced Persistent Threats (APT), are commonly adopted by modern attackers. Recent studies propose leveraging the rich contextual information in data provenance to detect threats in a host. Data provenance is a directed acyclic graph constructed from system audit data. Nodes in a provenance graph represent system entities (e.g., $processes$ and $files$) and edges represent system calls in the direction of information flow. However, previous studies, which extract features of the whole provenance graph, are not sensitive to the small number of threat-related entities and thus result in low performance when hunting stealthy threats. We present threaTrace, an anomaly-based detector that detects host-based threats at system entity level without prior knowledge of attack patterns. We tailor GraphSAGE, an inductive graph neural network, to learn every benign entity's role in a provenance graph. threaTrace is a real-time system, which is scalable of monitoring a long-term running host and capable of detecting host-based intrusion in their early phase. We evaluate threaTrace on three public datasets. The results show that threaTrace outperforms three state-of-the-art host intrusion detection systems.
format Preprint
id arxiv_https___arxiv_org_abs_2111_04333
institution arXiv
publishDate 2021
record_format arxiv
spellingShingle threaTrace: Detecting and Tracing Host-based Threats in Node Level Through Provenance Graph Learning
Wang, Su
Wang, Zhiliang
Zhou, Tao
Yin, Xia
Han, Dongqi
Zhang, Han
Sun, Hongbin
Shi, Xingang
Yang, Jiahai
Cryptography and Security
Machine Learning
Host-based threats such as Program Attack, Malware Implantation, and Advanced Persistent Threats (APT), are commonly adopted by modern attackers. Recent studies propose leveraging the rich contextual information in data provenance to detect threats in a host. Data provenance is a directed acyclic graph constructed from system audit data. Nodes in a provenance graph represent system entities (e.g., $processes$ and $files$) and edges represent system calls in the direction of information flow. However, previous studies, which extract features of the whole provenance graph, are not sensitive to the small number of threat-related entities and thus result in low performance when hunting stealthy threats. We present threaTrace, an anomaly-based detector that detects host-based threats at system entity level without prior knowledge of attack patterns. We tailor GraphSAGE, an inductive graph neural network, to learn every benign entity's role in a provenance graph. threaTrace is a real-time system, which is scalable of monitoring a long-term running host and capable of detecting host-based intrusion in their early phase. We evaluate threaTrace on three public datasets. The results show that threaTrace outperforms three state-of-the-art host intrusion detection systems.
title threaTrace: Detecting and Tracing Host-based Threats in Node Level Through Provenance Graph Learning
topic Cryptography and Security
Machine Learning
url https://arxiv.org/abs/2111.04333