Mining Data Provenance to Detect Advanced Persistent Threats

Website Maintenance Alert

Due to scheduled maintenance, the USENIX website may not be available on Monday, March 17, from 10:00 am–6:00 pm Pacific Daylight Time (UTC -7). We apologize for the inconvenience and thank you for your patience.

If you would like to register for NSDI '25, SREcon25 Americas, or PEPR '25, please complete your registration before or after this time period.

Authors: 

Mathieu Barre, INRIA; Ashish Gehani and Vinod Yegneswaran, SRI International

Abstract: 

An advanced persistent threat (APT) is a stealthy malware instance that gains unauthorized access to a system and remains undetected for an extended time period. The aim of this work is to evaluate the feasibility of applying advanced machine learning and provenance analysis techniques to automatically detect the presence of APT infections within hosts in the network.We evaluate our techniques using a corpus of recent APT malware. Our results indicate that while detecting new APT instances is a fundamentally difficult problem, provenance-based learning techniques can detect over 50% of them with low false positive rates (< 4%).

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {235864,
author = {Mathieu Barre and Ashish Gehani and Vinod Yegneswaran},
title = {Mining Data Provenance to Detect Advanced Persistent Threats},
booktitle = {11th International Workshop on Theory and Practice of Provenance (TaPP 2019)},
year = {2019},
address = {Philadelphia, PA},
url = {https://www.usenix.org/conference/tapp2019/presentation/barre},
publisher = {USENIX Association},
month = jun
}
Download
PDF icon Barre PDF