UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats.
作者: James Mickens , Adam Bates , Thomas Pasquier , Margo Seltzer , Xueyuan Han
关键词: Data mining 、 Exploit 、 Detector 、 Unicorn 、 Computer science 、 Attack patterns
摘要: Advanced Persistent Threats (APTs) are difficult to detect due their "low-and-slow" attack patterns and frequent use of zero-day exploits. We present UNICORN, an anomaly-based APT detector that effectively leverages data provenance analysis. From modeling detection, UNICORN tailors its design specifically for the unique characteristics APTs. Through extensive yet time-efficient graph analysis, explores graphs provide rich contextual historical information identify stealthy anomalous activities without pre-defined signatures. Using a sketching technique, it summarizes long-running system execution with space efficiency combat slow-acting attacks take place over long time span. further improves detection capability using novel approach understand long-term behavior as evolves. Our evaluation shows outperforms existing state-of-the-art detects real-life scenarios high accuracy.
arxiv.org
harvard.edu
sci-hub.st 参考文章(116)
Robert NM Watson, None, Exploiting concurrency vulnerabilities in system call wrappers WOOT '07 Proceedings of the first USENIX workshop on Offensive Technologies. pp. 2- ,(2007)
Philip S. Yu, Charu C. Aggarwal, On classification of high-cardinality data streams siam international conference on data mining. pp. 802- 813 ,(2010)
Nong Ye, A Markov Chain Model of Temporal Behavior for Anomaly Detection information assurance and security. ,(2000)
Eric A. Brewer, David Wagner, Ian Goldberg, Randi Thomas, A secure environment for untrusted helper applications confining the Wily Hacker usenix security symposium. pp. 1- 1 ,(1996)
Frank McSherry, Mark Manasse, Kunal Talwar, Consistent Weighted Sampling Microsoft Research. ,(2007)
Alexey Tsymbal, The problem of concept drift: definitions and related work ,(2004)
Ashish Gehani, Dawood Tariq, SPADE: support for provenance auditing in distributed environments international middleware conference. pp. 101- 120 ,(2012) , 10.1007/978-3-642-35170-9_6
Tal Garfinkel, Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools. network and distributed system security symposium. ,(2003)
James P. Anderson, Computer Security Technology Planning Study ,(1972)
Adam Bates, Dave Tian, Kevin R. B. Butler, Thomas Moyer, Trustworthy whole-system provenance for the Linux kernel usenix security symposium. pp. 319- 334 ,(2015)