# A baseline for unsupervised advanced persistent threat detection in   system-level provenance

**Authors:** Ghita Berrada, Sidahmed Benabderrahmane, James Cheney, William, Maxwell, Himan Mookherjee, Alec Theriault, and Ryan Wright

arXiv: 1906.06940 · 2020-03-06

## TL;DR

This paper evaluates the effectiveness of unsupervised anomaly detection algorithms in identifying advanced persistent threats from large-scale system provenance data across multiple operating systems, addressing a critical cybersecurity challenge.

## Contribution

It provides the first detailed assessment of generic unsupervised anomaly detection methods for APT detection using system-level provenance data.

## Key findings

- Unsupervised algorithms can detect APT-like attacks with varying effectiveness.
- Streaming detection methods show promise for real-time APT detection.
- The study highlights challenges and potential improvements in anomaly detection for cybersecurity.

## Abstract

Advanced persistent threats (APT) are stealthy, sophisticated, and unpredictable cyberattacks that can steal intellectual property, damage critical infrastructure, or cause millions of dollars in damage. Detecting APTs by monitoring system-level activity is difficult because manually inspecting the high volume of normal system activity is overwhelming for security analysts. We evaluate the effectiveness of unsupervised batch and streaming anomaly detection algorithms over multiple gigabytes of provenance traces recorded on four different operating systems to determine whether they can detect realistic APT-like attacks reliably and efficiently. This report is the first detailed study of the effectiveness of generic unsupervised anomaly detection techniques in this setting.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1906.06940/full.md

## Figures

33 figures with captions in the complete paper: https://tomesphere.com/paper/1906.06940/full.md

## References

45 references — full list in the complete paper: https://tomesphere.com/paper/1906.06940/full.md

---
Source: https://tomesphere.com/paper/1906.06940