Abstract
Advanced Persistent Threats (APTs) are difficult to detect due to their low-and-slow attack patterns and frequent use of zero-day exploits. We present UNICORN, an anomaly-based APT detector that effectively leverages data provenance analysis. From modeling to detection, UNICORN tailors its design specifically for the unique characteristics of APTs. Through extensive yet time-efficient graph analysis, UNICORN explores provenance graphs that provide rich contextual and historical information to identify stealthy anomalous activities without pre-defined attack signatures. Using a graph sketching technique, it summarizes long-running system execution with space efficiency to combat slow-acting attacks that take place over a long time span. UNICORN further improves its detection capability using a novel modeling approach to understand long-term behavior as the system evolves. Our evaluation shows that UNICORN outperforms an existing state-of-the-art APT detection system and detects real-life APT scenarios with high accuracy.
Original language | English |
---|---|
Title of host publication | Proceedings of the Network and Distributed Systems Security (NDSS) Symposium 2020 |
Publisher | Internet Society |
Pages | 1-18 |
Number of pages | 18 |
ISBN (Electronic) | 1-891562-61-4 |
Publication status | Published - 23 Feb 2020 |
Event | Network and Distributed Systems Security (NDSS) Symposium 2020 - San Diego, United States Duration: 23 Feb 2020 → 26 Feb 2020 https://www.ndss-symposium.org/ |
Conference
Conference | Network and Distributed Systems Security (NDSS) Symposium 2020 |
---|---|
Abbreviated title | NDSS 2020 |
Country/Territory | United States |
City | San Diego |
Period | 23/02/20 → 26/02/20 |
Internet address |
Research Groups and Themes
- Cyber Security