Mining Data Provenance to Detect Advanced Persistent Threats


Mathieu Barre, INRIA; Ashish Gehani and Vinod Yegneswaran, SRI International


An advanced persistent threat (APT) is a stealthy malware instance that gains unauthorized access to a system and remains undetected for an extended time period. The aim of this work is to evaluate the feasibility of applying advanced machine learning and provenance analysis techniques to automatically detect the presence of APT infections within hosts in the network.We evaluate our techniques using a corpus of recent APT malware. Our results indicate that while detecting new APT instances is a fundamentally difficult problem, provenance-based learning techniques can detect over 50% of them with low false positive rates (< 4%).

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {235864,
author = {Mathieu Barre and Ashish Gehani and Vinod Yegneswaran},
title = {Mining Data Provenance to Detect Advanced Persistent Threats},
booktitle = {11th International Workshop on Theory and Practice of Provenance (TaPP 2019)},
year = {2019},
address = {Philadelphia, PA},
url = {},
publisher = {USENIX Association},
month = jun