A baseline for unsupervised advanced persistent threat detection in system-level provenance
This addresses the challenge of overwhelming security analysts with high volumes of normal system activity for APT detection, though it is incremental as it applies existing methods to a new domain.
The study tackled the problem of detecting advanced persistent threats (APTs) in system-level provenance data by evaluating unsupervised anomaly detection algorithms on multiple gigabytes of traces across four operating systems, finding that they can detect realistic APT-like attacks reliably and efficiently.
Advanced persistent threats (APT) are stealthy, sophisticated, and unpredictable cyberattacks that can steal intellectual property, damage critical infrastructure, or cause millions of dollars in damage. Detecting APTs by monitoring system-level activity is difficult because manually inspecting the high volume of normal system activity is overwhelming for security analysts. We evaluate the effectiveness of unsupervised batch and streaming anomaly detection algorithms over multiple gigabytes of provenance traces recorded on four different operating systems to determine whether they can detect realistic APT-like attacks reliably and efficiently. This report is the first detailed study of the effectiveness of generic unsupervised anomaly detection techniques in this setting.