Provenance-based intrusion detection
An Intrusion Detection System (IDS) detects threats based on patterns of known exploits, malicious behaviors, and attack techniques. Provenance graphs are directed graphs that record the detailed history of data, including how they are generated, and every action performed on them. They provide a ho...
Saved in:
| Main Author: | |
|---|---|
| Other Authors: | |
| Format: | Final Year Project |
| Language: | English |
| Published: |
Nanyang Technological University
2023
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/166065 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| Summary: | An Intrusion Detection System (IDS) detects threats based on patterns of known exploits, malicious behaviors, and attack techniques. Provenance graphs are directed graphs that record the detailed history of data, including how they are generated, and every action performed on them. They provide a holistic and structured view of what is going on in the system and record footprints that include those of both legitimate users and attackers. By capturing the detailed information flow in system executions and system objects, they serve as an apt data source for intrusion detection.
Cyberattacks such as Advanced Persistent Threats (APT) are becoming increasingly sophisticated and common. Traditional IDS are unable to cope due to their high false-positive rate and the required effort of security experts to validate them. As such, incidents can remain undetected for up to several months and enterprises then suffer severe damages financially or through loss of data [1]. The potential of provenance graphs for intrusion detection has been demonstrated in recent studies [2]. It is shown that provenance-based methods can attain higher detection accuracy, performance, and lower false alarm rates than traditional system-call-based methods [3].
In this project, I will leverage provenance graphs as the data source for intrusion detection. This project aims to collect and generate provenance graphs of both benign and malicious cases to analyze graph mining algorithms for modern IDS. |
|---|