Saved in:
Bibliographic Details
Main Authors: Xiao, Yue, Jiang, Ling, Nie, Sen, Li, Ding, Wu, Shi, Xu, Ke, Li, Qi
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2603.22982
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866911541389950976
author Xiao, Yue
Jiang, Ling
Nie, Sen
Li, Ding
Wu, Shi
Xu, Ke
Li, Qi
author_facet Xiao, Yue
Jiang, Ling
Nie, Sen
Li, Ding
Wu, Shi
Xu, Ke
Li, Qi
contents Provenance-based Intrusion Detection Systems (PIDSes) have been widely used to detect Advanced Persistent Threats (APTs). Although many studies achieve high performance in the evaluations of their original papers, their performance in industrial scenarios remains unclear. To fill this gap, we conduct the first systematic evaluation and analysis of PIDSes in industrial scenarios. We first analyze the differences between the data from DARPA datasets and that collected in industrial scenarios, identifying three main new characteristics in industry: heterogeneous multi-source inputs, more powerful attackers, and increasing benign activity complexity. We then build several datasets to evaluate five state-of-the-art PIDSes. The evaluation results reveal challenges for existing PIDSes, including poor portability across different hosts and platforms, low detection performance against real-world attacks, and high false positive rates with ever-changing benign activities. Based on the evaluation results and our industrial practices, we provide several insights to solve or explain the above problems. For example, we propose a method to mitigate the high false positives, which reduces manual effort by 2/3. Finally, we propose several research suggestions to improve PIDSes.
format Preprint
id arxiv_https___arxiv_org_abs_2603_22982
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle How Far Should We Need to Go : Evaluate Provenance-based Intrusion Detection Systems in Industrial Scenarios
Xiao, Yue
Jiang, Ling
Nie, Sen
Li, Ding
Wu, Shi
Xu, Ke
Li, Qi
Cryptography and Security
Provenance-based Intrusion Detection Systems (PIDSes) have been widely used to detect Advanced Persistent Threats (APTs). Although many studies achieve high performance in the evaluations of their original papers, their performance in industrial scenarios remains unclear. To fill this gap, we conduct the first systematic evaluation and analysis of PIDSes in industrial scenarios. We first analyze the differences between the data from DARPA datasets and that collected in industrial scenarios, identifying three main new characteristics in industry: heterogeneous multi-source inputs, more powerful attackers, and increasing benign activity complexity. We then build several datasets to evaluate five state-of-the-art PIDSes. The evaluation results reveal challenges for existing PIDSes, including poor portability across different hosts and platforms, low detection performance against real-world attacks, and high false positive rates with ever-changing benign activities. Based on the evaluation results and our industrial practices, we provide several insights to solve or explain the above problems. For example, we propose a method to mitigate the high false positives, which reduces manual effort by 2/3. Finally, we propose several research suggestions to improve PIDSes.
title How Far Should We Need to Go : Evaluate Provenance-based Intrusion Detection Systems in Industrial Scenarios
topic Cryptography and Security
url https://arxiv.org/abs/2603.22982