Aggregating unsupervised provenance anomaly detectors

Ghita Berrada, James Cheney

Research output: Chapter in Book/Report/Conference proceedingConference contribution


System-level provenance offers great promise for improving security by facilitating the detection of attacks. Unsupervised anomaly detection techniques are necessary to defend against subtle or unpredictable attacks, such as advanced persistent threats (APTs). However, it is difficult to know in advance which views of the provenance graph will be most valuable as a basis for unsupervised anomaly detection on a given system. We present baseline anomaly detection results on the effectiveness of two existing algorithms on APT attack scenarios from four different operating systems, and identify simple score or rank aggregation techniques that are effective at aggregating anomaly scores and improving detection performance.
Original languageEnglish
Title of host publication11th International Workshop on Theory and Practice of Provenance
PublisherUSENIX Association
Number of pages9
Publication statusE-pub ahead of print - 16 May 2019
Event11th International Workshop on Theory and Practice of Provenance - Philadelphia, United States
Duration: 3 Jun 20193 Jun 2019


Workshop11th International Workshop on Theory and Practice of Provenance
Abbreviated titleTaPP 2019
Country/TerritoryUnited States
Internet address


Dive into the research topics of 'Aggregating unsupervised provenance anomaly detectors'. Together they form a unique fingerprint.

Cite this