Abstract
Advanced Persistent Threats (APTs) are difficult to detect due to their low-and-slow attack patterns and frequent use of zero-day exploits. We present UNICORN, an anomaly-based APT detector that effectively leverages data provenance analysis. From modeling to detection, UNICORN tailors its design specifically for the unique characteristics of APTs. Through extensive yet time-efficient graph analysis, UNICORN explores provenance graphs that provide rich contextual and historical information to identify stealthy anomalous activities without pre-defined attack signatures. Using a graph sketching technique, it summarizes long-running system execution with space efficiency to combat slow-acting attacks that take place over a long time span. UNICORN further improves its detection capability using a novel modeling approach to understand long-term behavior as the system evolves. Our evaluation shows that UNICORN outperforms an existing state-of-the-art APT detection system and detects real-life APT scenarios with high accuracy.
| Original language | English |
|---|---|
| Title of host publication | Proceedings of the Network and Distributed Systems Security (NDSS) Symposium 2020 |
| Publisher | Internet Society |
| Pages | 1-18 |
| Number of pages | 18 |
| ISBN (Electronic) | 1-891562-61-4 |
| Publication status | Published - 23 Feb 2020 |
| Event | Network and Distributed Systems Security (NDSS) Symposium 2020 - San Diego, United States Duration: 23 Feb 2020 → 26 Feb 2020 https://www.ndss-symposium.org/ |
Conference
| Conference | Network and Distributed Systems Security (NDSS) Symposium 2020 |
|---|---|
| Abbreviated title | NDSS 2020 |
| Country/Territory | United States |
| City | San Diego |
| Period | 23/02/20 → 26/02/20 |
| Internet address |
Research Groups and Themes
- Cyber Security