TY - JOUR
T1 - A baseline for unsupervised advanced persistent threat detection in system-level provenance
AU - Berrada, Ghita
AU - Cheney, James
AU - Benabderrahmane, Sidahmed
AU - Maxwell, William
AU - Mookherjee, Himan
AU - Theriault, Alec
AU - Wright, Ryan
N1 - Funding Information:
This material is based upon work partially supported by the Defense Advanced Research Projects Agency (DARPA) under contract FA8650-15-C-7557 . Mookherjee was partially supported by a grant from LogicBlox, Inc. Benabderrahmane and Cheney were also supported by ERC Consolidator Grant Skye (grant number 682315) .
Publisher Copyright:
© 2020 Elsevier B.V.
Copyright:
Copyright 2020 Elsevier B.V., All rights reserved.
PY - 2020/7
Y1 - 2020/7
N2 - Advanced persistent threats (APTs) are stealthy, sophisticated, and unpredictable cyberattacks that can steal intellectual property, damage critical infrastructure, or cause millions of dollars in damage. Detecting APTs by monitoring system-level activity is difficult because manually inspecting the high volume of normal system activity is overwhelming for security analysts. We evaluate the effectiveness of unsupervised batch and streaming anomaly detection algorithms over multiple gigabytes of provenance traces recorded on four different operating systems to determine whether they can detect realistic APT-like attacks reliably and efficiently. This article is the first detailed study of the effectiveness of generic unsupervised anomaly detection techniques in this setting.
AB - Advanced persistent threats (APTs) are stealthy, sophisticated, and unpredictable cyberattacks that can steal intellectual property, damage critical infrastructure, or cause millions of dollars in damage. Detecting APTs by monitoring system-level activity is difficult because manually inspecting the high volume of normal system activity is overwhelming for security analysts. We evaluate the effectiveness of unsupervised batch and streaming anomaly detection algorithms over multiple gigabytes of provenance traces recorded on four different operating systems to determine whether they can detect realistic APT-like attacks reliably and efficiently. This article is the first detailed study of the effectiveness of generic unsupervised anomaly detection techniques in this setting.
KW - Advanced persistent threats
KW - Anomaly detection
KW - Cyber security
KW - Provenance
KW - Unsupervised learning
UR - http://www.scopus.com/inward/record.url?scp=85080853585&partnerID=8YFLogxK
U2 - 10.1016/j.future.2020.02.015
DO - 10.1016/j.future.2020.02.015
M3 - Article
AN - SCOPUS:85080853585
SN - 0167-739X
VL - 108
SP - 401
EP - 413
JO - FUTURE GENERATION COMPUTER SYSTEMS
JF - FUTURE GENERATION COMPUTER SYSTEMS
ER -