Aggregating unsupervised provenance anomaly detectors

Ghita Berrada; James Cheney

Aggregating unsupervised provenance anomaly detectors

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

System-level provenance offers great promise for improving security by facilitating the detection of attacks. Unsupervised anomaly detection techniques are necessary to defend against subtle or unpredictable attacks, such as advanced persistent threats (APTs). However, it is difficult to know in advance which views of the provenance graph will be most valuable as a basis for unsupervised anomaly detection on a given system. We present baseline anomaly detection results on the effectiveness of two existing algorithms on APT attack scenarios from four different operating systems, and identify simple score or rank aggregation techniques that are effective at aggregating anomaly scores and improving detection performance.

Original language	English
Title of host publication	11th International Workshop on Theory and Practice of Provenance
Publisher	USENIX Association
Number of pages	9
Publication status	E-pub ahead of print - 16 May 2019
Event	11th International Workshop on Theory and Practice of Provenance - Philadelphia, United States Duration: 3 Jun 2019 → 3 Jun 2019 https://sites.google.com/uncc.edu/tapp-2019/home

Workshop

Workshop	11th International Workshop on Theory and Practice of Provenance
Abbreviated title	TaPP 2019
Country/Territory	United States
City	Philadelphia
Period	3/06/19 → 3/06/19
Internet address	https://sites.google.com/uncc.edu/tapp-2019/home

Access to Document

paperAccepted author manuscript, 684 KB

https://www.usenix.org/conference/tapp2019/presentation/berrada

2 Finished

Turing Fellowship
Cheney, J.
UK-based charities
1/09/18 → 31/08/20
Project: Research
A Diagnostics Approach to Persistent Threat Detection (ADAPT)
Cheney, J.
Non-EU other
26/06/15 → 30/06/19
Project: Research

Cite this

@inproceedings{982be624fba8494caf5005539c5cca6a,

title = "Aggregating unsupervised provenance anomaly detectors",

abstract = "System-level provenance offers great promise for improving security by facilitating the detection of attacks. Unsupervised anomaly detection techniques are necessary to defend against subtle or unpredictable attacks, such as advanced persistent threats (APTs). However, it is difficult to know in advance which views of the provenance graph will be most valuable as a basis for unsupervised anomaly detection on a given system. We present baseline anomaly detection results on the effectiveness of two existing algorithms on APT attack scenarios from four different operating systems, and identify simple score or rank aggregation techniques that are effective at aggregating anomaly scores and improving detection performance.",

author = "Ghita Berrada and James Cheney",

year = "2019",

month = may,

day = "16",

language = "English",

booktitle = "11th International Workshop on Theory and Practice of Provenance",

publisher = "USENIX Association",

note = "11th International Workshop on Theory and Practice of Provenance, TaPP 2019 ; Conference date: 03-06-2019 Through 03-06-2019",

url = "https://sites.google.com/uncc.edu/tapp-2019/home",

}

TY - GEN

T1 - Aggregating unsupervised provenance anomaly detectors

AU - Berrada, Ghita

AU - Cheney, James

PY - 2019/5/16

Y1 - 2019/5/16

N2 - System-level provenance offers great promise for improving security by facilitating the detection of attacks. Unsupervised anomaly detection techniques are necessary to defend against subtle or unpredictable attacks, such as advanced persistent threats (APTs). However, it is difficult to know in advance which views of the provenance graph will be most valuable as a basis for unsupervised anomaly detection on a given system. We present baseline anomaly detection results on the effectiveness of two existing algorithms on APT attack scenarios from four different operating systems, and identify simple score or rank aggregation techniques that are effective at aggregating anomaly scores and improving detection performance.

AB - System-level provenance offers great promise for improving security by facilitating the detection of attacks. Unsupervised anomaly detection techniques are necessary to defend against subtle or unpredictable attacks, such as advanced persistent threats (APTs). However, it is difficult to know in advance which views of the provenance graph will be most valuable as a basis for unsupervised anomaly detection on a given system. We present baseline anomaly detection results on the effectiveness of two existing algorithms on APT attack scenarios from four different operating systems, and identify simple score or rank aggregation techniques that are effective at aggregating anomaly scores and improving detection performance.

M3 - Conference contribution

BT - 11th International Workshop on Theory and Practice of Provenance

PB - USENIX Association

T2 - 11th International Workshop on Theory and Practice of Provenance

Y2 - 3 June 2019 through 3 June 2019

ER -

Aggregating unsupervised provenance anomaly detectors

Abstract

Workshop

Access to Document

Fingerprint

Projects

Turing Fellowship

A Diagnostics Approach to Persistent Threat Detection (ADAPT)

Cite this