Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Evolving Advanced Persistent Threat Detection Using Provenance Graph and Metric Learning

Published

Author(s)

Gbadebo Ayoade, Khandakar A. Akbar, Pracheta Sahoo, Yang Gao, Anoop Singhal, Kangkook Jee, Latifur Khan, Anmol Agarwal

Abstract

Advanced persistent threats (APT) have increased in recent times as a result of the rise in interest by nationstates and sophisticated corporations to obtain high profile information. Typically, APT attacks are more challenging to detect since they leverage zero-day attacks and commonly used benign tools. Furthermore, these attack campaigns are often prolonged to evade detection. We leverage an approach that uses a provenance graph to obtain execution traces of host nodes in order to detect anomalous behavior. By using the provenance graph, we extract features that are then used to train an online adaptive metric learning. Online metric learning is a deep learning method that learns a function to minimize the separation between similar classes and maximizes the separation between dis- similar instances. We compare our approach with baseline models and we show our method outperforms the baseline models by increasing detection accuracy on average by 11.3% and increases True positive rate(TPR) on average by 18.3%.
Conference Dates
June 29-July 1, 2020
Conference Location
Avignon, FR
Conference Title
IEEE International Conference on Communications and Network Security (CNS 2020)

Keywords

Feature extraction, Machine learning, Measurement, Tools, Trojan horses, Conferences, Security

Citation

Ayoade, G. , Akbar, K. , Sahoo, P. , Gao, Y. , Singhal, A. , Jee, K. , Khan, L. and Agarwal, A. (2020), Evolving Advanced Persistent Threat Detection Using Provenance Graph and Metric Learning, IEEE International Conference on Communications and Network Security (CNS 2020), Avignon, FR, [online], https://doi.org/10.1109/CNS48642.2020.9162264, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=929801 (Accessed December 3, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created June 28, 2020, Updated October 12, 2021