A baseline for unsupervised advanced persistent threat detection in system-level provenance

Ghita Berrada*, James Cheney*, Sidahmed Benabderrahmane*, William Maxwell, Himan Mookherjee, Alec Theriault, Ryan Wright

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

26 Citations (Scopus)

Abstract

Advanced persistent threats (APTs) are stealthy, sophisticated, and unpredictable cyberattacks that can steal intellectual property, damage critical infrastructure, or cause millions of dollars in damage. Detecting APTs by monitoring system-level activity is difficult because manually inspecting the high volume of normal system activity is overwhelming for security analysts. We evaluate the effectiveness of unsupervised batch and streaming anomaly detection algorithms over multiple gigabytes of provenance traces recorded on four different operating systems to determine whether they can detect realistic APT-like attacks reliably and efficiently. This article is the first detailed study of the effectiveness of generic unsupervised anomaly detection techniques in this setting.

Original languageEnglish
Pages (from-to)401-413
Number of pages13
JournalFUTURE GENERATION COMPUTER SYSTEMS
Volume108
DOIs
Publication statusPublished - Jul 2020

Keywords

  • Advanced persistent threats
  • Anomaly detection
  • Cyber security
  • Provenance
  • Unsupervised learning

Fingerprint

Dive into the research topics of 'A baseline for unsupervised advanced persistent threat detection in system-level provenance'. Together they form a unique fingerprint.

Cite this