Published: June 29, 2020
Author(s)
Gbadebo Ayoade (University of Texas at Dallas), Khandakar Akbar (University of Texas at Dallas), Pracheta Sahoo (University of Texas at Dallas), Yang Gao (University of Texas at Dallas), Anmol Agarwal (University of Texas at Dallas), Kangkook Jee (University of Texas at Dallas), Latifur Khan (University of Texas at Dallas), Anoop Singhal (NIST)
Conference
Name: 2020 IEEE Conference on Communications and Network Security (CNS)
Dates: 06/29/2020 - 07/01/2020
Location: [Virtual] Avignon, France
Citation: 2020 IEEE Conference on Communications and Network Security (CNS), pp. 1-9
Advanced persistent threats (APT) have increased in recent times as a result of the rise in interest by nation-states and sophisticated corporations to obtain high profile information. Typically, APT attacks are more challenging to detect since they leverage zero-day attacks and commonly used benign tools. Furthermore, these attack campaigns are often prolonged to evade detection. We leverage an approach that uses a provenance graph to obtain execution traces of host nodes in order to detect anomalous behavior. By using the provenance graph, we extract features that are then used to train an online adaptive metric learning. Online metric learning is a deep learning method that learns a function to minimize the separation between similar classes and maximizes the separation between dissimilar instances. We compare our approach with baseline models and we show our method outperforms the baseline models by increasing detection accuracy on average by 11.3% and increases True positive rate(TPR) on average by 18.3%.
Advanced persistent threats (APT) have increased in recent times as a result of the rise in interest by nation-states and sophisticated corporations to obtain high profile information. Typically, APT attacks are more challenging to detect since they leverage zero-day attacks and commonly used benign...
See full abstract
Advanced persistent threats (APT) have increased in recent times as a result of the rise in interest by nation-states and sophisticated corporations to obtain high profile information. Typically, APT attacks are more challenging to detect since they leverage zero-day attacks and commonly used benign tools. Furthermore, these attack campaigns are often prolonged to evade detection. We leverage an approach that uses a provenance graph to obtain execution traces of host nodes in order to detect anomalous behavior. By using the provenance graph, we extract features that are then used to train an online adaptive metric learning. Online metric learning is a deep learning method that learns a function to minimize the separation between similar classes and maximizes the separation between dissimilar instances. We compare our approach with baseline models and we show our method outperforms the baseline models by increasing detection accuracy on average by 11.3% and increases True positive rate(TPR) on average by 18.3%.
Hide full abstract
Keywords
feature extraction; machine learning; measurement; tools; Trojan horses; conferences; security
Control Families
None selected