Abstract
System-level provenance offers great promise for improving security by facilitating the detection of attacks. Unsupervised anomaly detection techniques are necessary to defend against subtle or unpredictable attacks, such as advanced persistent threats (APTs). However, it is difficult to know in advance which views of the provenance graph will be most valuable as a basis for unsupervised anomaly detection on a given system. We present baseline anomaly detection results on the effectiveness of two existing algorithms on APT attack scenarios from four different operating systems, and identify simple score or rank aggregation techniques that are effective at aggregating anomaly scores and improving detection performance.
| Original language | English |
|---|---|
| Publication status | Published - 2019 |
| Event | 11th International Workshop on the Theory and Practice of Provenance, TaPP 2019 - Philadelphia, United States Duration: 3 Jun 2019 → … |
Conference
| Conference | 11th International Workshop on the Theory and Practice of Provenance, TaPP 2019 |
|---|---|
| Country/Territory | United States |
| City | Philadelphia |
| Period | 3/06/2019 → … |