UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats

Xueyuan Han, Thomas Pasquier, Adam Bates, James Mickens, Margo Seltzer

Research output: Chapter in Book/Report/Conference proceedingConference Contribution (Conference Proceeding)


Advanced Persistent Threats (APTs) are difficult to detect due to their low-and-slow attack patterns and frequent use of zero-day exploits. We present UNICORN, an anomaly-based APT detector that effectively leverages data provenance analysis. From modeling to detection, UNICORN tailors its design specifically for the unique characteristics of APTs. Through extensive yet time-efficient graph analysis, UNICORN explores provenance graphs that provide rich contextual and historical information to identify stealthy anomalous activities without pre-defined attack signatures. Using a graph sketching technique, it summarizes long-running system execution with space efficiency to combat slow-acting attacks that take place over a long time span. UNICORN further improves its detection capability using a novel modeling approach to understand long-term behavior as the system evolves. Our evaluation shows that UNICORN outperforms an existing state-of-the-art APT detection system and detects real-life APT scenarios with high accuracy.
Original languageEnglish
Title of host publicationProceedings of the Network and Distributed Systems Security (NDSS) Symposium 2020
PublisherInternet Society
Number of pages18
ISBN (Print)1-891562-61-4
Publication statusPublished - 23 Feb 2020
EventNetwork and Distributed Systems Security (NDSS) Symposium 2020 - San Diego, United States
Duration: 23 Feb 202026 Feb 2020


ConferenceNetwork and Distributed Systems Security (NDSS) Symposium 2020
Abbreviated titleNDSS 2020
Country/TerritoryUnited States
CitySan Diego
Internet address

Structured keywords

  • Cyber Security


Dive into the research topics of 'UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats'. Together they form a unique fingerprint.

Cite this