Published: November 14, 2022
Citation: IEEE Transactions on Dependable and Secure Computing vol. 20, no. 5, (September-October 2023) pp. 3957-3969
Author(s)
Khandakar Akbar (University of Texas at Dallas), Yingong Wang (University of Texas at Dallas), Gbadebo Ayoade (University of Texas at Dallas), Yang Gao (University of Texas at Dallas), Anoop Singhal (NIST), Latifur Khan (University of Texas at Dallas), Bhavani Thuraisingham (University of Texas at Dallas), Kangkook Jee (University of Texas at Dallas)
Advanced persistent threats (APT) have increased in recent times as a result of the rise in interest by nation states and sophisticated corporations to obtain high-profile information. Typically, APT attacks are more challenging to detect since they leverage zero-day attacks and common benign tools. Furthermore, these attack campaigns are often prolonged to evade detection. We leverage an approach that uses a provenance graph to obtain execution traces of host nodes in order to detect anomalous behavior. By using the provenance graph, we extract features that are then used to train an online adaptive metric learning. Online metric learning is a deep learning method that learns a function to minimize the separation between similar classes and maximizes the separation between dis-similar instances. We compare our approach with baseline models and we show our method outperforms the baseline models by increasing detection accuracy on average by 11.3% and increases True positive rate (TPR) on average by 18.3%. We also show that our method outperforms several state-of-the-art models performances in comprehensive attack datasets in both binary and multi-class settings.
Advanced persistent threats (APT) have increased in recent times as a result of the rise in interest by nation states and sophisticated corporations to obtain high-profile information. Typically, APT attacks are more challenging to detect since they leverage zero-day attacks and common benign tools....
See full abstract
Advanced persistent threats (APT) have increased in recent times as a result of the rise in interest by nation states and sophisticated corporations to obtain high-profile information. Typically, APT attacks are more challenging to detect since they leverage zero-day attacks and common benign tools. Furthermore, these attack campaigns are often prolonged to evade detection. We leverage an approach that uses a provenance graph to obtain execution traces of host nodes in order to detect anomalous behavior. By using the provenance graph, we extract features that are then used to train an online adaptive metric learning. Online metric learning is a deep learning method that learns a function to minimize the separation between similar classes and maximizes the separation between dis-similar instances. We compare our approach with baseline models and we show our method outperforms the baseline models by increasing detection accuracy on average by 11.3% and increases True positive rate (TPR) on average by 18.3%. We also show that our method outperforms several state-of-the-art models performances in comprehensive attack datasets in both binary and multi-class settings.
Hide full abstract
Keywords
advanced persistent threat; data provenance; metric learning
Control Families
None selected