SaTC: CORE: Medium: Principled Foundations for the Design and Evaluation of Graph-Based Host Intrusion Detection Systems

Modern system intruders are extraordinarily sophisticated, leveraging expertise and financial means to "live off the land" and avoid detection as they penetrate large organizations. Unfortunately, over 25-years of host intrusion detection research has proven insufficient to detect today’s sophisticated attackers. Recently, advancements in machine learning and auditing have led researchers to reconceptualize intrusion detection as a graph learning problem -- provenance graphs that describe the history of system execution are analyzed in an attempt to differentiate typical from suspicious activity.

However, at present it is unclear how (or even if) these graph intrusion detection systems (Graph IDS) are effective in the face of determined, resourceful adversaries, particularly adaptive attackers that pattern their actions to blend in with typical activity. This project measures the resilience of Graph IDS to so-called “mimicry attacks,” then design novel anomaly detection algorithms that are hardened against this threat. The project also contributes to work force development through student participation in research.

The project examines the central challenges pertaining to the evaluation and design of Graph IDS. Using provenance graphs as an abstract model for system activity, the project develops novel techniques for automated generation of mimicry attack samples, allowing the IDS’ to be rigorously benchmarked against adaptive adversaries. The project then develops new primitives for Graph IDS by incorporating the intuitions that underpin human-in-the-loop threat investigation procedures, such as root cause analysis.

In the final stages of the project, it considers methods for the practical deployment of these techniques in large organizations and networks. The findings from this work inform the next generation of enterprise security strategies, re-establishing host anomaly detection as a precise and practical means of detecting system intrusions.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.