Abstract
Data reduction is a critical aspect of current research in advanced persistent threat attack detection. The challenge is handling the huge amount of data generated by system logging, which exposes dependencies among system entities, often depicted as provenance graphs. Data reduction methods aim to reduce the data size of provenance graphs, but their evaluation on non-public datasets limits the results’ transferability and general applicability. This study compares state-of-the-art reduction methods for APT Attack Detection on publicly available provenance graph datasets, exploring their dependencies on graph characteristics and attack detection methods. One outcome of the work is that the effectiveness of many reduction methods depends highly on the underlying data. And secondly, using a reduction method does not necessarily negatively affect detection quality.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Chen, P., Desmet, L., Huygens, C.: A study on advanced persistent threats. In: De Decker, B., Zúquete, A. (eds.) Communications and Multimedia Security, pp. 63–72 (2014). https://doi.org/10.1007/978-3-662-44885-4_5
Dynamics, K.: TA5.1 ground truth report engagement 3 (2018). https://drive.google.com/drive/folders/1ATro9_PaoNlg376yA_moI1MbJGF-_HaV
Hossain, M.N., Wang, J., Sekar, R., Stoller, S.D.: Dependence-preserving data compaction for scalable forensic analysis. In: 27th USENIX Security Symposium, pp. 1723–1740 (2018). https://seclab.cs.sunysb.edu/seclab/pubs/usenix18.pdf
Inam, M., et al.: SoK: history is a vast early warning system: auditing the provenance of system intrusions. In: 2023 IEEE Symposium on Security and Privacy (SP), pp. 2620–2638 (2023). https://doi.ieeecomputersociety.org/10.1109/SP46215.2023.10179405
Lee, K.H., Zhang, X., Xu, D.: LogGC: garbage collecting audit log. In: 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1005–1016 (2013). https://doi.org/10.1145/2508859.2516731
Ma, S., et al.: Kernel-supported cost-effective audit logging for causality tracking. In: 2018 USENIX Annual Technical Conference, pp. 241–253 (2018). https://www.usenix.org/system/files/conference/atc18/atc18-ma-shiqing.pdf
Michael, N., Mink, J., Liu, J., Gaur, S., Hassan, W.U., Bates, A.: On the forensic validity of approximated audit logs. In: Annual Computer Security Applications Conference, pp. 189–202 (2020). https://doi.org/10.1145/3427228.3427272
Tang, Y., et al.: NodeMerge: template based efficient data reduction for big-data causality analysis. In: 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1324–1337 (2018). https://doi.org/10.1145/3243734.3243763
Wang, S., et al.: THREATRACE: detecting and tracing host-based threats in node level through provenance graph learning. IEEE Trans. Inf. Forensics Secur. 17, 3972–3987 (2022). https://doi.org/10.1109/TIFS.2022.3208815
Xu, Z., et al.: High fidelity data reduction for big data security dependency analyses. In: 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 504–516 (2016). https://doi.org/10.1145/2976749.2978378
Zipperle, M., Gottwalt, F., Chang, E., Dillon, T.: Provenance-based intrusion detection systems: a survey. ACM Comput. Surv. 55(7), 1–36 (2022). https://doi.org/10.1145/3539605
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Gesell, J.E., Buchta, R., Dangendorf, K., Franzke, P., Heine, F., Kleiner, C. (2024). Comparative Analysis of Reduction Methods on Provenance Graphs for APT Attack Detection. In: Mosbah, M., Sèdes, F., Tawbi, N., Ahmed, T., Boulahia-Cuppens, N., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2023. Lecture Notes in Computer Science, vol 14552. Springer, Cham. https://doi.org/10.1007/978-3-031-57540-2_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-57540-2_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57539-6
Online ISBN: 978-3-031-57540-2