Provenance-based Intrusion Detection: Opportunities and Challenges

Xueyuan Han; Thomas Pasquier; Margo Seltzer

Authors:

Xueyuan Han, Harvard University; Thomas Pasquier, University of Cambridge; Margo Seltzer, Harvard University

Abstract:

Intrusion detection is an arms race; attackers evade intrusion detection systems by developing new attack vectors to sidestep known defense mechanisms. Provenance provides a detailed, structured history of the interactions of digital objects within a system. It is ideal for intrusion detection, because it offers a holistic, attack-vector-agnostic view of system execution. As such, provenance graph analysis fundamentally strengthens detection robustness.We discuss the opportunities and challenges associated with provenance-based intrusion detection and provide insights based on our experience building such systems.

Xueyuan Han, Harvard University

Thomas Pasquier, University of Cambridge

Margo Seltzer, Harvard University

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX

@inproceedings {220315,
author = {Xueyuan Han and Thomas Pasquier and Margo Seltzer},
title = {Provenance-based Intrusion Detection: Opportunities and Challenges},
booktitle = {10th USENIX Workshop on the Theory and Practice of Provenance (TaPP 2018)},
year = {2018},
address = {London},
url = {https://www.usenix.org/conference/tapp2018/presentation/han},
publisher = {USENIX Association},
month = jul
}

Download

Han PDF