Provenance-based intrusion detection

Abstract

In today’s digital landscape, the complexity and severity of cyberattacks are constantly growing, and it is reaching a point where it poses significant challenges to the intrusion detection systems that are currently being used. These systems are becoming less effective in recognising and mitigating sophisticated threats. This includes zero-day exploits and Advanced Persistent Threats (APTs). In order to surmount this challenge, more reliable and innovative ways to detect these intrusion and threats are needed. One of such promising approaches is to utilise provenance data, specifically provenance graphs, as a data source for the intrusion detection framework. Data provenance represents information flow between system entities as a Direct Acyclic Graph (DAG). In the context of using data provenance for an intrusion detection system, the provenance graph generated will have system entities represented as nodes, and system operations represented as directed edges. As a result, the graph that is generated will provide a comprehensive overview of activities happening within a system, tracking all the actions of every user. This makes it a valuable and informative data source to be used in an intrusion detection system.

This project aims to capitalise on the potential of provenance graphs for intrusion detection. By running simulations of cyber attacks on an operating system with a provenance capture tool, extensive datasets of provenance graphs can be generated. These graphs will then be used to train and validate graph-based models. Lastly, the model will be evaluated to determine the effectiveness of using provenance based intrusion detection based on various metrics commonly used to measure the performance of neural network models.