Abstract | ||
---|---|---|
Advanced Persistent Threats (APTs) are difficult to detect due to their "low-and-slow" attack patterns and frequent use of zero-day exploits. We present UNICORN, an anomaly-based APT detector that effectively leverages data provenance analysis. From modeling to detection, UNICORN tailors its design specifically for the unique characteristics of APTs. Through extensive yet time-efficient graph analysis, UNICORN explores provenance graphs that provide rich contextual and historical information to identify stealthy anomalous activities without pre-defined attack signatures. Using a graph sketching technique, it summarizes long-running system execution with space efficiency to combat slow-acting attacks that take place over a long time span. UNICORN further improves its detection capability using a novel modeling approach to understand long-term behavior as the system evolves. Our evaluation shows that UNICORN outperforms an existing state-of-the-art APT detection system and detects real-life APT scenarios with high accuracy. |
Year | DOI | Venue |
---|---|---|
2020 | 10.14722/ndss.2020.24046 | NDSS |
DocType | Citations | PageRank |
Conference | 8 | 0.51 |
References | Authors | |
0 | 5 |
Name | Order | Citations | PageRank |
---|---|---|---|
Xueyuan Han | 1 | 33 | 4.52 |
Thomas F. J.-M. Pasquier | 2 | 214 | 17.09 |
Adam Bates | 3 | 324 | 23.66 |
James Mickens | 4 | 424 | 37.89 |
Margo Seltzer | 5 | 3423 | 623.54 |