Provenance-based Intrusion Detection: Opportunities and Challenges
This addresses the challenge of improving intrusion detection for cybersecurity, but it is incremental as it builds on existing provenance concepts.
The paper tackles the problem of attackers evading intrusion detection systems by proposing provenance graph analysis, which offers a holistic, attack-vector-agnostic view to strengthen detection robustness.
Intrusion detection is an arms race; attackers evade intrusion detection systems by developing new attack vectors to sidestep known defense mechanisms. Provenance provides a detailed, structured history of the interactions of digital objects within a system. It is ideal for intrusion detection, because it offers a holistic, attack-vector-agnostic view of system execution. As such, provenance graph analysis fundamentally strengthens detection robustness. We discuss the opportunities and challenges associated with provenance-based intrusion detection and provide insights based on our experience building such systems.