Pegasus: Accelerating Provenance Graph-based Intrusion Detection Methods

Pegasus: Accelerating Provenance Graph-based Intrusion Detection Methods

연구 분야: Safety

학회: 2025 28th International Conference on Computer Supported Cooperative Work in Design (CSCWD)

Provenance-based Endpoint Detection and Response (P-EDR) systems are considered as the key to future Advanced Persistent Threat (APT) defense. Building provenance graphs that consider causal relationships between software behaviors can better provide contextual information of cyber attacks, which is capable of effectively reconstructing complex cyber attack scenarios represented by APT. Although promising to assist in attack investigation, existing methods for attack detection using provenance graphs adopt a centralized detection architecture, sending all system audit logs to servers for processing, resulting in unbearable costs in terms of data transmission, data storage, and computation. To address the above fundamental challenges, we propose Pegasus, a distributed detection system that can reduce memory consumption during training through a distributed system. Our system is evaluated on a large public dataset, and experimental results show that our system reduces memory consumption by 47%–65% compared with existing provenance-based EDR. And the above processing has little impact on attack detection performance, and our EDR system can still achieve sufficiently good detection results.