Provenance of Computation Meets Persistent Threat Detection: A Progress Report

David Archer, Galos, Inc.


Carefully subtle cyber threats are designed to avoid detection. By minimizing profiles of network communication, avoiding common malware signatures, and moving slowly and cautiously, such threats penetrate, persist, explore, and exfiltrate without detection. In contrast to that cautious demeanor, their potential for harm is substantial, as we’ve seen repeatedly in high-profile data breaches discovered long after the fact. In this work, we describe our approach to detecting such subtle threats using a combination of statistical anomaly detection and computational provenance exploration. We explain the architecture of our detection system, describe the sensor data model we use as input to our analysis, explore our anomaly detection and provenance computation methods, and present preliminary results from a recent adversarial engagement on real systems under realistic attack.

@conference {204302,
title = {Provenance of Computation Meets Persistent Threat Detection: A Progress Report},
year = {2017},
address = {Seattle, WA},
publisher = {{USENIX} Association},
month = jun,