Provenance-based intrusion detection systems: A survey
Traditional Intrusion Detection Systems (IDS) cannot cope with the increasing number and
sophistication of cyberattacks such as Advanced Persistent Threats (APT). Due to their high …
sophistication of cyberattacks such as Advanced Persistent Threats (APT). Due to their high …
Threat detection and investigation with system-level provenance graphs: A survey
With the development of information technology, the border of the cyberspace gets much
broader and thus also exposes increasingly more vulnerabilities to attackers. Traditional …
broader and thus also exposes increasingly more vulnerabilities to attackers. Traditional …
Holmes: real-time apt detection through correlation of suspicious information flows
In this paper, we present HOLMES, a system that implements a new approach to the
detection of Advanced and Persistent Threats (APTs). HOLMES is inspired by several case …
detection of Advanced and Persistent Threats (APTs). HOLMES is inspired by several case …
Shadewatcher: Recommendation-guided cyber threat analysis using system audit records
System auditing provides a low-level view into cyber threats by monitoring system entity
interactions. In response to advanced cyber-attacks, one prevalent solution is to apply data …
interactions. In response to advanced cyber-attacks, one prevalent solution is to apply data …
Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting
Cyber threat intelligence (CTI) is being used to search for indicators of attacks that might
have compromised an enterprise network for a long time without being discovered. To have …
have compromised an enterprise network for a long time without being discovered. To have …
[PDF][PDF] WATSON: Abstracting Behaviors from Audit Logs via Aggregation of Contextual Semantics.
Endpoint monitoring solutions are widely deployed in today's enterprise environments to
support advanced attack detection and investigation. These monitors continuously record …
support advanced attack detection and investigation. These monitors continuously record …
Combating dependence explosion in forensic analysis using alternative tag propagation semantics
We are witnessing a rapid escalation in targeted cyber-attacks called Advanced and
Persistent Threats (APTs). Carried out by skilled adversaries, these attacks take place over …
Persistent Threats (APTs). Carried out by skilled adversaries, these attacks take place over …
OmegaLog: High-fidelity attack investigation via transparent multi-layer log analysis
Recent advances in causality analysis have enabled investigators to trace multi-stage
attacks using whole-system provenance graphs. Based on system-layer audit logs (eg …
attacks using whole-system provenance graphs. Based on system-layer audit logs (eg …
Sok: History is a vast early warning system: Auditing the provenance of system intrusions
Auditing, a central pillar of operating system security, has only recently come into its own as
an active area of public research. This resurgent interest is due in large part to the notion of …
an active area of public research. This resurgent interest is due in large part to the notion of …
{Back-Propagating} system dependency impact for attack investigation
Causality analysis on system auditing data has emerged as an important solution for attack
investigation. Given a POI (Point-Of-Interest) event (eg, an alert fired on a suspicious file …
investigation. Given a POI (Point-Of-Interest) event (eg, an alert fired on a suspicious file …