Provenance-based Intrusion Detection: Opportunities and Challenges


Xueyuan Han, Harvard University; Thomas Pasquier, University of Cambridge; Margo Seltzer, Harvard University


Intrusion detection is an arms race; attackers evade intrusion detection systems by developing new attack vectors to sidestep known defense mechanisms. Provenance provides a detailed, structured history of the interactions of digital objects within a system. It is ideal for intrusion detection, because it offers a holistic, attack-vector-agnostic view of system execution. As such, provenance graph analysis fundamentally strengthens detection robustness.We discuss the opportunities and challenges associated with provenance-based intrusion detection and provide insights based on our experience building such systems.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {220315,
author = {Xueyuan Han and Thomas Pasquier and Margo Seltzer},
title = {Provenance-based Intrusion Detection: Opportunities and Challenges},
booktitle = {10th USENIX Workshop on the Theory and Practice of Provenance (TaPP 2018)},
year = {2018},
address = {London},
url = {},
publisher = {USENIX Association},
month = jul