Prov2vec: Learning Provenance Graph Representation for Anomaly Detection in Computer Systems

Prov2vec: Learning Provenance Graph Representation for Anomaly Detection in Computer Systems

연구 분야: Safety

학회: ARES '24: Proceedings of the 19th International Conference on Availability, Reliability and Security

Modern cyber attackers use advanced zero-day exploits, highly targeted spear phishing, and other social engineering techniques to gain access, and also use evasion techniques to maintain a prolonged presence within the victim network while working gradually towards the objective. To minimize damage, detecting these Advanced Persistent Threats as early in the campaign as possible is crucial. This paper proposes, Prov2vec, a system for the continuous monitoring of enterprise host’s behavior to detect attackers’ activities. It leverages the data provenance graph built using system event logs to get complete visibility into the execution state of an enterprise host and the causal relationship between system entities. It proposes a novel provenance graph kernel to obtain the canonical representation of the system behavior, which is compared against its historical behaviors and that of other hosts to detect the deviation from the norm. These representations are used in several machine learning models to evaluate their ability to capture the underlying behavior of an endpoint host. We have empirically demonstrated that the provenance graph kernel produces a much more compact representation compared to existing methods while improving prediction ability.