Skip to content

UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Original languageEnglish
Title of host publicationProceedings of the Network and Distributed Systems Security (NDSS) Symposium 2020
Publisher or commissioning bodyThe Internet Society
Number of pages18
ISBN (Print)1-891562-61-4
DateAccepted/In press - 20 Dec 2019
DatePublished (current) - 23 Feb 2020
EventNetwork and Distributed Systems Security (NDSS) Symposium 2020 - San Diego, United States
Duration: 23 Feb 202026 Feb 2020


ConferenceNetwork and Distributed Systems Security (NDSS) Symposium 2020
Abbreviated titleNDSS 2020
CountryUnited States
CitySan Diego
Internet address


Advanced Persistent Threats (APTs) are difficult to detect due to their low-and-slow attack patterns and frequent use of zero-day exploits. We present UNICORN, an anomaly-based APT detector that effectively leverages data provenance analysis. From modeling to detection, UNICORN tailors its design specifically for the unique characteristics of APTs. Through extensive yet time-efficient graph analysis, UNICORN explores provenance graphs that provide rich contextual and historical information to identify stealthy anomalous activities without pre-defined attack signatures. Using a graph sketching technique, it summarizes long-running system execution with space efficiency to combat slow-acting attacks that take place over a long time span. UNICORN further improves its detection capability using a novel modeling approach to understand long-term behavior as the system evolves. Our evaluation shows that UNICORN outperforms an existing state-of-the-art APT detection system and detects real-life APT scenarios with high accuracy.

    Structured keywords

  • Cyber Security


Network and Distributed Systems Security (NDSS) Symposium 2020

Abbreviated titleNDSS 2020
Duration23 Feb 202026 Feb 2020
CitySan Diego
CountryUnited States
Web address (URL)
Degree of recognitionInternational event

Event: Conference



  • Full-text PDF (accepted author manuscript)

    Accepted author manuscript, 885 KB, PDF document

    Embargo ends: 1/01/99

    Request copy


View research connections

Related faculties, schools or groups