Provenance-based intrusion detection

Abstract

Complex heterogeneous dynamic networks, such as knowledge graphs, are important constructions for simulating the records of data modification, access and usage in computer systems. In this project we investigated the analysis of these graphs and the tracing of their pattern to uncover cyber security related threats using the visual assistance of graphs to illustrate how people interact with data. The application of a provenance detection system might strengthen our future cybersecurity defenses. Camflow, a whole system provenance capturing Linux Security module, has shown great results for capturing information in W3C/JSON format and is also capable of displaying the provenance graph recorded of how the user interacts with the system through the use of MQTT.

However, Camflow cannot give data in a user-readable manner on its own, hence the intention is to employ Flurry, a tool that can handle information gathered by Camflow. Flurry is an application that facilitates webserver setup. Camflow records/captures user benign or malicious behavior on the website. Flurry will filter this data using W3C filters and analyze them before displaying them in user-friendly graphics.