THREATRACE: Detecting and Tracing Host-Based Threats in Node Level Through Provenance Graph Learning

Wang, Su; Wang, Zhiliang; Zhou, Tao; Yin, Xia; Han, Dongqi; Zhang, Han; Sun, Hongbin; Shi, Xingang; Yang, Jiahai

doi:10.1109/tifs.2022.3208815

Cited by 43 publications

(12 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Another group of work proposed clustering and learning-based techniques to distinguish between benign and anomalous patterns in the provenance graph. These works applied several intuitions to graph analysis such as the use of graph sketching techniques [21,51], graph embedding techniques [41,73], knowledge graph embedding techniques [84,85], and sequence-based neural embedding methods [1,43,71].…”

Section: Ablation Studymentioning

confidence: 99%

“…Second, they enable the application of advanced graph algorithms in audit log analysis. Consequently, provenance graph analysis has been extensively employed in the detection of anomalous system activities [14,21,41,43,51,71,73,85]; root-cause analysis and forensic tracking [15,25,29,34,45]; attack story generation [1,27,28,58]; and supporting alert validation and investigation [23,24,54,77].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

ProvG-Searcher: A Graph Representation Learning Approach for Efficient Provenance Graph Search

Altinisik,

Deniz,

Sencar

2023

Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

We present ProvG-Searcher, a novel approach for detecting known APT behaviors within system security logs. Our approach leverages provenance graphs, a comprehensive graph representation of event logs, to capture and depict data provenance relations by mapping system entities as nodes and their interactions as edges. We formulate the task of searching provenance graphs as a subgraph matching problem and employ a graph representation learning method. The central component of our search methodology involves embedding of subgraphs in a vector space where subgraph relationships can be directly evaluated. We achieve this through the use of order embeddings that simplify subgraph matching to straightforward comparisons between a query and precomputed subgraph representations. To address challenges posed by the size and complexity of provenance graphs, we propose a graph partitioning scheme and a behavior-preserving graph reduction method. Overall, our technique offers significant computational efficiency, allowing most of the search computation to be performed offline while incorporating a lightweight comparison step during query execution. Experimental results on standard datasets demonstrate that ProvG-Searcher achieves superior performance, with an accuracy exceeding 99% in detecting query behaviors and a false positive rate of approximately 0.02%, outperforming other approaches. CCS CONCEPTS• Security and privacy → Intrusion detection systems; Systems security; Intrusion/anomaly detection and malware mitigation.

show abstract

Section: Ablation Studymentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

ProvG-Searcher: A Graph Representation Learning Approach for Efficient Provenance Graph Search

Altinisik,

Deniz,

Sencar

2023

Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…Recently, many research works on intrusion and threat detection have adopted system provenance-based algorithms considering its potential in this domain [262,258,168,170,254]. The threat detection in these studies generally involves creating a provenance graph of the system's history via tagging and tracking of system events and then utilizing graph characteristics for the task [168].…”

Section: Researchers Believe That System Provenance Has the Potentialmentioning

confidence: 99%

“…Wang et al [254] proposed ThreaTrace, a real-time system to detect host-based threats at the system entity level, leveraging provenance and neural networks, i.e., GraphSAGE. Abbas et al [1] proposed an automated method to detect crossnamespace attacks using provenance graphs modeling crossnamespace events, i.e., the interaction between two containers or a container and the host.…”

Section: Researchers Believe That System Provenance Has the Potentialmentioning

confidence: 99%

Automating Behavior-based Ransomware Analysis, Detection, and Classification Using Machine Learning

Abbasi¹

View full text Add to dashboard Cite

Ransomware is malware that hijacks a victim's data using encryption and demands a ransom in exchange for the decryption key. Ransomware has gained prominence due to its attack vector and the irreversible nature of damage to data. Ransomware has indiscriminately attacked individuals and organizations worldwide, disrupting their businesses and services. The number of successful ransomware attacks across the globe highlights the inadequacy of existing ransomware defense. Static and dynamic analysis are two popular approaches to malware analysis. The former does not require execution of the malware binary, whereas the latter requires executing the binary in a controlled environment. Static analysis-based detection, e.g., signature-matching, is widely adopted by commercial antivirus solutions but can be thwarted by evasion techniques, e.g., polymorphism and code obfuscation, utilized in modern malware. Consequently, dynamic analysis-based or behavior-based detection approaches have gained popularity because malware behavior cannot be changed entirely across its variants. Both signature and behavior-based detection complement each other. Behavior-based ransomware detection comes with certain challenges and problems, such as data high-dimensionality that occurs because a process may execute thousands of API calls per second. Manual inspection of these API calls for feature engineering requires an expert and is a time-intensive task. Another problem with some existing ransomware detection models is the reliance on handcrafted malice scoring functions that assign scores to the processes describing their threat levels. Other challenges to ransomware detection research include the limited availability of ransomware data sets that can be used with Machine Learning (ML) methods and their reuse scope. The scope of reuse of available data sets is limited because of their format, e.g., sequential data may be used with recurrent neural networks but not with commonly used ML-based classification algorithms, and focus, e.g., network activity and filesystem activity. For the above-mentioned reasons, ransomware detection research is generally followed by ransomware analysis. However, to the best of our knowledge, not many of the existing ransomware behavior analysis studies discuss the challenges involved in the process. This thesis aims to automate the solutions to the problems related to ransomware behavior detection and classification using evolutionary computation methods, i.e., particle swarm optimization and genetic programming, and deep neural networks, i.e., long short-term memory. This thesis proposes a wrapper feature selection method to address the high dimensionality in ransomware behavior data. The proposed method utilizes particle swarm optimization to automatically select a suitable number of features from each feature group and therefore does not require expert input. This thesis further proposes an automated method of evolving malice scoring models for ransomware detection. The proposed method formulates the problem as a symbolic regression problem and solves it using genetic programming. Unlike existing methods, the proposed method does not require expert knowledge to design the model. Furthermore, this thesis proposes an automated behavior analysis framework for highlighting challenges associated with ransomware behavior analysis and solutions to these challenges. Finally, this thesis proposes a new representation of the API call sequences that combines the API call names and important call arguments. The proposed representation of the API call sequences helped improve ransomware early detection performance. All the methods proposed in this thesis either automate the existing manual solutions or achieve comparable or better performance compared to existing methods.

show abstract

“…In our work, we used the GNN that consists of GraphSage GNN [73] for node embedding, following the Softmax function for node classification into malicious and benign activity. Additionally, we considered the ThreaTrace approach [171] that leverages GraphSage architecture to learn node embeddings and use them in supervised settings to train multiple submodels to predict the labels of nodes in the provenance graph. The training happens on benign data.…”

Section: Chapter 5 Feasible Evasion Attacks In Constrained Environmentsmentioning

confidence: 99%

Towards resilient cyber networks against adversarial attacks

Chernikova

View full text Add to dashboard Cite

I am infinitely grateful to my advisor, Alina Oprea. Her constant guidance, support, honesty, and optimism have been the foundation for my success as a Ph.D. student. I have always been fascinated and inspired by her intellectuality, as well as her compassion and integrity. Alina's trust and belief in me as a researcher were invaluable. Cristina Nita-Rotaru was the first person I met at Northeastern. I still remember my excitement after our first conversation, and I felt like the happiest person in the world after talking about the opportunities at Northeastern in the NDS2 laboratory. Cristina always provided valuable feedback on my research and gave advice on Ph.D. student life. Alina and Cristina have made the NDS2 lab a supportive and friendly place where I flourished as a researcher and person. During the darkest times of my life, they were sources of light. Without them, I would never have made it to the end. I am so grateful that Alina and Cristina opened the door to the new life of the scientist I have always dreamed of.I am very thankful to Tina Eliassi-Rad, who was always on my side, supporting me and cheering me up. She showed me what it means to be a good researcher, inspired me with her rigor and attention to detail, and helped me build confidence in the value of my work. I met Nicola Perra while working on one of the research projects. I was immediately fascinated by his detailed knowledge of the research topic we were working on, his research attitude, and his limitless scientific abilities. I met Nicolò Gozzi, a knowledgeable and great researcher on the same project. I could never finish the project successfully without their ideas, knowledge, and support. It was a great pleasure to work with such intellectual and friendly individuals. I am very thankful to them for our collaboration.I am grateful to all members of the NDS2 lab for all the amazing moments of sincere joy we shared. I am honored to be a part of such a great community of researchers. I also would like to thank all the students and postdocs of the ISEC community -it was a pleasure to gather over lunches, go bouldering, watch movies, have endless discussions, party, and enjoy pies in their company. I am so happy that I became friends with Jack Doerner and Marinos Vomvas and spent infinite hours discussing and making art with them. I will never forget developing film in the lab, having weird and interesting ideas for photos, attending galleries and exhibitions, taking photos walking around Boston, and experiencing the total solar eclipse. I am also very grateful to Maryam Motallebighomi for her kindness, support, sincerity, and for the time we spent together.I want to thank my undergraduate Thesis advisor, Vladimir Malugin, for introducing me to the world of research and for all the knowledge and wisdom he shared. I was also lucky to learn from other Belarusian State University professors: Eugeniy Zhuk, Vitaliy Alsevich, Adolf Naumovich, Alexander Mazanik, and Vladimir Zadvorny. I am very grateful to my high school physics teacher, Vladi...

show abstract

THREATRACE: Detecting and Tracing Host-Based Threats in Node Level Through Provenance Graph Learning

Cited by 43 publications

References 29 publications

ProvG-Searcher: A Graph Representation Learning Approach for Efficient Provenance Graph Search

ProvG-Searcher: A Graph Representation Learning Approach for Efficient Provenance Graph Search

Automating Behavior-based Ransomware Analysis, Detection, and Classification Using Machine Learning

Towards resilient cyber networks against adversarial attacks

Contact Info

Product

Resources

About