Please use this identifier to cite or link to this item:
Title: Provenance graph generation for intrusion detection
Authors: Chew, Perlyn Jie Ying
Keywords: Engineering::Computer science and engineering::Computer systems organization::Computer system implementation
Issue Date: 2023
Publisher: Nanyang Technological University
Source: Chew, P. J. Y. (2023). Provenance graph generation for intrusion detection. Final Year Project (FYP), Nanyang Technological University, Singapore.
Abstract: In this digital age, cyberattacks are becoming more complex, and are accompanied by increasingly severe consequences. Traditional intrusion detection systems are struggling to identify sophisticated threats such as zero-day attacks or Advanced Persistent Threats (APTs) efficiently and effectively. To address this challenge, modern approaches are required. Provenance graphs emerge as a promising data source for modern intrusion detection by capturing comprehensive information on both malicious and benign system activities. Provenance describes the history or lineage of an object, and captures information on how digital objects arrive at their existing state. These graphs present complex dependencies and relationships in the form of a directed acyclic graph that has potential for analysis using machine learning methods. However, there are few end-to-end pipelines that automatically generate and transform provenance data into graph representations suitable for machine learning. The Flurry framework is a contemporary approach, built upon CamFlow, a provenance capture system, to improve the reproducibility and ease of generating provenance graphs for machine learning. Recognising the potential of provenance graphs and the challenges in their generation, this research aims to implement Flurry and improve the generation and capture of provenance graphs for intrusion detection. Intrusion scenarios will be designed then simulated on multiple security- sensitive applications across various operating systems. Extensive datasets of provenance graphs were produced via dynamically executing various attacks on Fedora and Ubuntu, then used to train and validate state-of-the-art graph-based models, to evaluate their effectiveness and accuracy. Specifically, the provenance graphs were seamlessly exported as a dataset for a Graph Convolution Network (GCN) in this project. The results affirm Flurry as an excellent framework for generating provenance graphs. Additionally, the strong performance of cutting-edge graph based models in tasks like graph classification and anomaly detection underscore the potential of provenance graphs as an ideal data source for contemporary intrusion detection systems.
Schools: School of Computer Science and Engineering 
Fulltext Permission: restricted
Fulltext Availability: With Fulltext
Appears in Collections:SCSE Student Reports (FYP/IA/PA/PI)

Files in This Item:
File Description SizeFormat 
Provenance Graph Generation for Intrusion Detection_Final.pdf
  Restricted Access MBAdobe PDFView/Open

Page view(s)

Updated on Jul 15, 2024


Updated on Jul 15, 2024

Google ScholarTM


Items in DR-NTU are protected by copyright, with all rights reserved, unless otherwise indicated.