provenance based intrusion detection
play

Provenance-based Intrusion Detection Thomas Pasquier University of - PowerPoint PPT Presentation

Dec 01, 2023 •220 likes •635 views

Provenance-based Intrusion Detection Thomas Pasquier University of Bristol https://tfjmp.org 12/11/2020 1 Talk loosely based on following publications Han et al. SIGL: Securing Software Installations Through Deep Graph Learning ,

  1. Provenance-based Intrusion Detection Thomas Pasquier University of Bristol https://tfjmp.org 12/11/2020 1

  2. Talk loosely based on following publications ● Han et al. “ SIGL: Securing Software Installations Through Deep Graph Learning” , USENIX Security 2021 ● Han et al. “UNICORN: Revisiting Host-Based Intrusion Detection in the Age of Data Provenance” , NDSS 2020 ● Pasquier et al. “Runtime Analysis of Whole-System Provenance” , ACM CCS 2018 ● Pasquier et al. “Practical Whole-System Provenance Capture” , ACM SoCC 2017 2

  3. Motivation: System call based intrusion detection System Calls 3

  4. Motivation: System call based intrusion detection System Calls Identify abnormal patterns 4

  5. Motivation: System call based intrusion detection System Calls Identify abnormal patterns Hidden among benign actions 5

  6. Motivation: System call based intrusion detection System Calls Identify abnormal patterns Hidden among benign actions Masquerading as benign action 6

  7. Motivation: System call based intrusion detection System Calls [...] Identify abnormal patterns Hidden among benign actions Masquerading as benign action [...] Over a long period of time 7

  8. What is provenance? 8

  9. What is provenance? - From the French “provenir” meaning “coming from” - Formal set of documents describing the origin of an art piece - Sequence of - Formal ownership - Custody - Places of storage - Used for authentication 9

  10. What is data-provenance? - Represent interactions between objects of different types - Data-items ( entities ) - Processing ( activities ) - Individuals and Organisations ( agents ) - Represented as a directed acyclic graph (think information flows) - Edges represent interactions between objects’ states as dependencies - It is a representation of history of a system execution - Immutable (unless it’s 1984) - No dependency to the future 10

  11. How is this useful? 11

  12. Provenance-based intrusion detection ▪ Intuition : provenance graph exposes causality relationships between events 12

  13. Provenance-based intrusion detection ▪ Intuition : provenance graph exposes causality relationships between events 13

  14. Provenance-based intrusion detection Related events are connected even across long period of time ▪ 14

  15. How to perform detection? 15

  16. Assumptions (and limitations) Runtime detection - We target environment with minimal human intervention - - relatively consistent behaviour - e.g. web servers, CI pipelines etc... Build a model of system behaviour (unsupervised training) - - in a controlled environment - from a representative workload (this is hard!) Detect deviation from the model - Several approaches being explored… - 16

  17. Example: UNICORN ▪ Han et al. “UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats” , NDSS 2020 17

  18. Example: UNICORN Graph streamed in, converted to histogram, labelled using (modified) 1) struct2vec 18

  19. Example: UNICORN 2) At regular interval, histogram converted to a fixed size vector using similarity preserving graph sketching 19

  20. Example: UNICORN 3) Feature vectors are clustered 20

  21. Example: UNICORN 4) Cluster forms “ meta-state ”, transitions are modelled In deployment, anomaly detected via clustering and “meta-state” model 21

  22. Relatively simple Labelled directed acyclic graph ▪ – node/edge types – security context (when available) Modification and combination of existing algorithms ▪ – struct2vec – similarity preserving hashing – clustering Right combination + domain knowledge ▪ 22

  23. Some insights from this work 23

  24. We can build practical provenance-based IDSs We can detect intrusion out of graph structure with little metadata ▪ – Vertex type (thread, file, socket etc…) – Edge type (read, write, connect etc…) Processing speed ▪ – Current prototype – Data generation speed < processing speed! 24

  25. Proper evaluation is hard! - Dataset are hard to generate - What is a good quality dataset? - Hard to compare across papers, a lot is not available - Experiments (i.e. attacks) - Capture Mechanisms - Analysis pipelines - Leads to unsatisfactory evaluation - I may be able to compare to similar techniques (may reuse dataset) - … very hard for unrelated one (i.e. ingest different data type) - Adversarial ML? 25

  26. Identifying threats: explainability is a problem There is a problem within the last batch of X graph elements ▪ – 2,000 in previous figures Good luck finding out what went wrong ▪ Provenance forensic is an active field of research ▪ – Promising work out of the DARPA programme … but could we do better during detection? ▪ 26

  27. Ongoing projects 27

  28. Towards more interpretable provenance-based IDSs ● PhD student project ( Xueyuan “Michael” Ha n) ● Collaborators ○ Harvard University ○ UBC ○ NEC Labs America ● Deep graph learning techniques ● Precisely identifying attacks within a provenance-graph ● Generating actionable reports 28

  29. A framework for Provenance-based forensics ● PhD student project ( Priyanka Badva ) ● Collaborators ○ SRI International ● Provenance graphs are large and complex (several millions nodes) ● Designing tools and techniques to identify/explain attacks ● Working with my colleague Ryan 29

  30. Distributed IDS - Edge network - Collaboration with Toshiba (£4M) - Exploring distributed learning - Poisoning - Mechanism - Etc. - Large testbed planned (work starting January) - Hiring 2 postdocs at Bristol - Money available for an intern short term (+-covid) 30

  31. Kernel partitioning ● PhD student project ( Soo Yee Lim ) ● Collaborators ○ HP Labs Bristol ○ Royal Holloway, University of London ○ University of Otago ● Leveraging CHERI/ARM Morello hardware ○ Hardware capabilities ● Implement kernel partitioning in the Linux OS 31

  32. Thank you! Questions? https://tfjmp.org thomas.pasquier@bristol.ac.uk 32

  33. How to evaluate? 33

  34. Comparison state of the art Manzoor et al. " Fast memory-efficient anomaly detection in streaming heterogeneous graphs " ACM KDD, 2016. R -> neighborhood size for struct2vec algorithm 34

  35. Evaluation with DARPA datasets 35

  36. Evaluation with DARPA datasets SUCH GOOD RESULTS ARE NOT NORMAL 36

  37. Building our own dataset ▪ Attack designed to look similar to background activity 37

  38. Building our own dataset ▪ Attack designed to look similar to background activity ▪ Is that enough? 38

  39. Runtime performance 39

  40. Runtime performance 40

  41. Runtime performance Memory usage: ~500MB CPU usage 15% on 1 core 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol

Building a provenance-based intrusion detection system Thomas Pasquier, University of Bristol Toshiba, 26/11/2020 1 Talk loosely based on following publications Han et al. UNICORN: Revisiting Host-Based Intrusion Detection in the Age of

783 views • 55 slides
Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots

ITS335 Intrusion Detection Intruders Intrusion Detection Host-Based Intrusion Detection Distributed Host-Based Network-Based ITS335: IT Security Honeypots Summary Sirindhorn International Institute of Technology Thammasat University

584 views • 30 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be

Styles of Intrusion Detection Misuse intrusion detection Try to detect things known to be bad Anomaly intrusion detection Try to detect deviations from normal behavior Specification intrusion detection Try to detect

627 views • 15 slides
Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar

Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar

Constrained approximate search in misuse-based intrusion detection Ambika Shrestha Chitrakar Supervisor: Prof. Slobodan Petrovic FINSE 10th of may 2017 Contents Introduction Snort: a misuse-based intrusion detection Problem

247 views • 14 slides
Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection

Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Architecture of an IDS Organization Incident Response Slide #22-1 FEARLESS engineering Principles of Intrusion Detection

744 views • 40 slides
Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection

Chapter 25: Intrusion Detection Principles Basics Models of Intrusion Detection Architecture of an IDS Organization Incident Response June 2, 2005 ECS 235, Computer and Information Slide #1 Security Principles of

1.38k views • 104 slides
Signal Processing General Introduction Based Intrusion Detection Using Several drawbacks to

Signal Processing General Introduction Based Intrusion Detection Using Several drawbacks to

Signal Processing General Introduction Based Intrusion Detection Using Several drawbacks to signature-based PCA detection Human intervention By Jeff Terrell Not adaptive; can't learn For COMP 290 - IDS - Spring 2005 Can be

360 views • 7 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection

Customizing and Evolving Intrusion Detection A static, globally useful intrusion detection solution is impossible Good behavior on one system is bad behavior on another Behaviors change and new vulnerabilities are discovered

700 views • 23 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 236 systems Computer Software Some sample intrusion detection March 12, 2007 systems Lecture 14 Lecture 14 Page 1 Page 2 CS 236, Winter 2007

537 views • 10 slides
Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239

Outline Introduction Intrusion Detection Characteristics of intrusion detection CS 239 systems Computer Software Some sample intrusion detection March 9, 2005 systems Lecture 15 Lecture 15 Page 1 Page 2 CS 239, Winter 2005

602 views • 12 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative

Intrusion Detection Intrusion Detection October 23, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document

504 views • 21 slides
Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing

Overview Intrusion Detection Systems Intrusion Detection Concepts and Practices Dealing with Intruders Detecting Intruders Principles of Intrusions and IDS The IDS Taxonomy Chapter 13 Using Rules and Thresholds for

297 views • 7 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Chapter 13 13.1 Detecting Extrasolar Planets Other Planetary Systems The New Science of Distant

Chapter 13 13.1 Detecting Extrasolar Planets Other Planetary Systems The New Science of Distant

Chapter 13 13.1 Detecting Extrasolar Planets Other Planetary Systems The New Science of Distant Worlds Our goals for learning Why is it so difficult to detect planets around other stars? How do we detect planets around other

571 views • 8 slides
Performance Optimization Project 2 Lab Schedule Activities Assignments Due Today

Performance Optimization Project 2 Lab Schedule Activities Assignments Due Today

Computer Systems and Networks ECPE 170 University of the Pacific Performance Optimization Project 2 Lab Schedule Activities Assignments Due Today Today Lab 7 Performance Lab 5 due by 11:59pm Optimization

832 views • 22 slides
1 Lab 5::Pintos file-structures Lab 5::Reading/Writing (1) Lab 5::Reading/Writing (2) Several

1 Lab 5::Pintos file-structures Lab 5::Reading/Writing (1) Lab 5::Reading/Writing (2) Several

Lab 5::General Description Lab 5::General Description Lab 5: File System Lab 5: File System Laboratory work in TDDI04 Synchronization of read-write operations Synchronization of read-write operations Pintos Assignment 5 One

47 views • 4 slides
2009 IC/CAD Contest Problem B3 : Obstacle-Avoiding Rectilinear Clock Routing with Preferred

2009 IC/CAD Contest Problem B3 : Obstacle-Avoiding Rectilinear Clock Routing with Preferred

2009 IC/CAD Contest Problem B3 : Obstacle-Avoiding Rectilinear Clock Routing with Preferred Directions Source: Synopsys 1. Introduction Finding a minimum route for an n-pin net can be modeled as a minimum Steiner tree problem of n points. To

285 views • 9 slides
CLIC Crab Cavity and Wakefields Praveen Ambattu CLIC crab group Cockcroft Institute / Lancaster

CLIC Crab Cavity and Wakefields Praveen Ambattu CLIC crab group Cockcroft Institute / Lancaster

ICFA Beam Dynamics Workshop 2010, Daresbury CLIC Crab Cavity and Wakefields Praveen Ambattu CLIC crab group Cockcroft Institute / Lancaster University / University of Manchester / ASTeC Crab Cavity Operation BDS chapter of the CLIC CDR,

586 views • 17 slides
Sources of Field Perturbations LLRF Lecture Part2 S. Simrock, M. Grecki ITER / DESY RF System

Sources of Field Perturbations LLRF Lecture Part2 S. Simrock, M. Grecki ITER / DESY RF System

Sources of Field Perturbations LLRF Lecture Part2 S. Simrock, M. Grecki ITER / DESY RF System Architecture S. Simrock &amp; M. Grecki, 5 th LC School, Switzerland, 2010, LLRF &amp; HPRF 2 Sources of Field Perturbations o Beam loading o

697 views • 21 slides
An experimental security analysis of an Industrial Robot Controller Davide Quarta , Marcello

An experimental security analysis of an Industrial Robot Controller Davide Quarta , Marcello

An experimental security analysis of an Industrial Robot Controller Davide Quarta , Marcello Pogliani, Mario Polino, Federico Maggi, Andrea Maria Zanchettin, Stefano Zanero San Jos (CA), May 22 nd , 2017 38th IEEE Symposium on Security and

539 views • 35 slides
Outline Introduction Paper: Paper: Antenna Designs Antenna Performance Analysis:

Outline Introduction Paper: Paper: Antenna Designs Antenna Performance Analysis:

Paper presentation Ultra-Portable Devices Outline Introduction Paper: Paper: Antenna Designs Antenna Performance Analysis: Free Space vs Wearable Akram Alomainy,Yang Hao and David M Davenport Parametric St d Study of

97 views • 5 slides

More recommend