ANUBIS: A Provenance Graph-Based Framework for Advanced Persistent Threat Detection

TL;DR

ANUBIS is an explainable, graph-based machine learning system that effectively detects advanced persistent threats by capturing causality in system provenance graphs and providing high-confidence predictions.

Contribution

ANUBIS introduces a provenance graph-based framework with Bayesian neural networks for explainable and accurate APT detection, enhancing cyber defense capabilities.

Findings

High detection accuracy on DARPA OpTC dataset

Effective explanation of predictions to analysts

Captures causality in system provenance graphs

Abstract

We present ANUBIS, a highly effective machine learning-based APT detection system. Our design philosophy for ANUBIS involves two principal components. Firstly, we intend ANUBIS to be effectively utilized by cyber-response teams. Therefore, prediction explainability is one of the main focuses of ANUBIS design. Secondly, ANUBIS uses system provenance graphs to capture causality and thereby achieve high detection performance. At the core of the predictive capability of ANUBIS, there is a Bayesian Neural Network that can tell how confident it is in its predictions. We evaluate ANUBIS against a recent APT dataset (DARPA OpTC) and show that ANUBIS can detect malicious activity akin to APT campaigns with high accuracy. Moreover, ANUBIS learns about high-level patterns that allow it to explain its predictions to threat analysts. The high predictive performance with explainable attack story reconstruction makes ANUBIS an effective tool to use for enterprise cyber defense.