Aggregating unsupervised provenance anomaly detectors


Ghita Berrada, University of Edinburgh; James Cheney, University of Edinburgh and The Alan Turing Institute


System-level provenance offers great promise for improving security by facilitating the detection of attacks. Unsupervised anomaly detection techniques are necessary to defend against subtle or unpredictable attacks, such as advanced persistent threats (APTs). However, it is difficult to know in advance which views of the provenance graph will be most valuable as a basis for unsupervised anomaly detection on a given system. We present baseline anomaly detection results on the effectiveness of two existing algorithms on APT attack scenarios from four different operating systems, and identify simple score or rank aggregation techniques that are effective at aggregating anomaly scores and improving detection performance.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {235860,
author = {Ghita Berrada and James Cheney},
title = {Aggregating unsupervised provenance anomaly detectors},
booktitle = {11th International Workshop on Theory and Practice of Provenance (TaPP 2019)},
year = {2019},
address = {Philadelphia, PA},
url = {},
publisher = {USENIX Association},
month = jun,