Skip to main content
SpringerLink
Log in

Comparative Analysis of Reduction Methods on Provenance Graphs for APT Attack Detection

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14552))

Included in the following conference series:

  • 42 Accesses

Abstract

Data reduction is a critical aspect of current research in advanced persistent threat attack detection. The challenge is handling the huge amount of data generated by system logging, which exposes dependencies among system entities, often depicted as provenance graphs. Data reduction methods aim to reduce the data size of provenance graphs, but their evaluation on non-public datasets limits the results’ transferability and general applicability. This study compares state-of-the-art reduction methods for APT Attack Detection on publicly available provenance graph datasets, exploring their dependencies on graph characteristics and attack detection methods. One outcome of the work is that the effectiveness of many reduction methods depends highly on the underlying data. And secondly, using a reduction method does not necessarily negatively affect detection quality.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Chen, P., Desmet, L., Huygens, C.: A study on advanced persistent threats. In: De Decker, B., Zúquete, A. (eds.) Communications and Multimedia Security, pp. 63–72 (2014). https://doi.org/10.1007/978-3-662-44885-4_5

  2. Dynamics, K.: TA5.1 ground truth report engagement 3 (2018). https://drive.google.com/drive/folders/1ATro9_PaoNlg376yA_moI1MbJGF-_HaV

  3. Hossain, M.N., Wang, J., Sekar, R., Stoller, S.D.: Dependence-preserving data compaction for scalable forensic analysis. In: 27th USENIX Security Symposium, pp. 1723–1740 (2018). https://seclab.cs.sunysb.edu/seclab/pubs/usenix18.pdf

  4. Inam, M., et al.: SoK: history is a vast early warning system: auditing the provenance of system intrusions. In: 2023 IEEE Symposium on Security and Privacy (SP), pp. 2620–2638 (2023). https://doi.ieeecomputersociety.org/10.1109/SP46215.2023.10179405

  5. Lee, K.H., Zhang, X., Xu, D.: LogGC: garbage collecting audit log. In: 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1005–1016 (2013). https://doi.org/10.1145/2508859.2516731

  6. Ma, S., et al.: Kernel-supported cost-effective audit logging for causality tracking. In: 2018 USENIX Annual Technical Conference, pp. 241–253 (2018). https://www.usenix.org/system/files/conference/atc18/atc18-ma-shiqing.pdf

  7. Michael, N., Mink, J., Liu, J., Gaur, S., Hassan, W.U., Bates, A.: On the forensic validity of approximated audit logs. In: Annual Computer Security Applications Conference, pp. 189–202 (2020). https://doi.org/10.1145/3427228.3427272

  8. Tang, Y., et al.: NodeMerge: template based efficient data reduction for big-data causality analysis. In: 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1324–1337 (2018). https://doi.org/10.1145/3243734.3243763

  9. Wang, S., et al.: THREATRACE: detecting and tracing host-based threats in node level through provenance graph learning. IEEE Trans. Inf. Forensics Secur. 17, 3972–3987 (2022). https://doi.org/10.1109/TIFS.2022.3208815

    Article  Google Scholar 

  10. Xu, Z., et al.: High fidelity data reduction for big data security dependency analyses. In: 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 504–516 (2016). https://doi.org/10.1145/2976749.2978378

  11. Zipperle, M., Gottwalt, F., Chang, E., Dillon, T.: Provenance-based intrusion detection systems: a survey. ACM Comput. Surv. 55(7), 1–36 (2022). https://doi.org/10.1145/3539605

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Hochschule Hannover - University of Applied Sciences and Arts, Hanover, Germany

    Jan Eske Gesell, Robin Buchta, Kilian Dangendorf, Pascal Franzke, Felix Heine & Carsten Kleiner

Authors
  1. Jan Eske Gesell
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Robin Buchta
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kilian Dangendorf
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Pascal Franzke
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Felix Heine
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Carsten Kleiner
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jan Eske Gesell .

Editor information

Editors and Affiliations

  1. University of Bordeaux, Bordeaux, France

    Mohamed Mosbah

  2. Toulouse III - Paul Sabatier University, Toulouse, France

    Florence Sèdes

  3. Université Laval, Québec, QC, Canada

    Nadia Tawbi

  4. University of Bordeaux, Bordeaux, France

    Toufik Ahmed

  5. Polytechnique Montréal, Montreal, QC, Canada

    Nora Boulahia-Cuppens

  6. Telecom SudParis, Palaiseau, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gesell, J.E., Buchta, R., Dangendorf, K., Franzke, P., Heine, F., Kleiner, C. (2024). Comparative Analysis of Reduction Methods on Provenance Graphs for APT Attack Detection. In: Mosbah, M., Sèdes, F., Tawbi, N., Ahmed, T., Boulahia-Cuppens, N., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2023. Lecture Notes in Computer Science, vol 14552. Springer, Cham. https://doi.org/10.1007/978-3-031-57540-2_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-57540-2_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-57539-6

  • Online ISBN: 978-3-031-57540-2

Publish with us

Policies and ethics

Search

Navigation