ANUBIS: A Provenance Graph-Based Framework for Advanced Persistent Threat Detection
This is an incremental improvement for enterprise cyber defense teams, offering explainable predictions to aid threat analysts.
The paper tackles the problem of detecting Advanced Persistent Threats (APTs) by presenting ANUBIS, a machine learning system that uses provenance graphs and a Bayesian Neural Network to achieve high accuracy in detecting malicious activity on the DARPA OpTC dataset.
We present ANUBIS, a highly effective machine learning-based APT detection system. Our design philosophy for ANUBIS involves two principal components. Firstly, we intend ANUBIS to be effectively utilized by cyber-response teams. Therefore, prediction explainability is one of the main focuses of ANUBIS design. Secondly, ANUBIS uses system provenance graphs to capture causality and thereby achieve high detection performance. At the core of the predictive capability of ANUBIS, there is a Bayesian Neural Network that can tell how confident it is in its predictions. We evaluate ANUBIS against a recent APT dataset (DARPA OpTC) and show that ANUBIS can detect malicious activity akin to APT campaigns with high accuracy. Moreover, ANUBIS learns about high-level patterns that allow it to explain its predictions to threat analysts. The high predictive performance with explainable attack story reconstruction makes ANUBIS an effective tool to use for enterprise cyber defense.