Resource-Interaction Graph: Efficient Graph Representation for Anomaly Detection

TL;DR

This paper introduces the resource-interaction graph, a lightweight graph representation built directly from audit logs, enabling efficient anomaly detection on resource-constrained devices with high accuracy.

Contribution

The paper proposes the resource-interaction graph, reducing storage needs compared to provenance graphs, and demonstrates its effectiveness for unsupervised anomaly detection.

Findings

Resource-interaction graphs require significantly less storage than provenance graphs.

Unsupervised graph autoencoder and clustering achieve over 80% F1 scores.

Effective detection of zero-day attacks on edge devices.

Abstract

Security research has concentrated on converting operating system audit logs into suitable graphs, such as provenance graphs, for analysis. However, provenance graphs can grow very large requiring significant computational resources beyond what is necessary for many security tasks and are not feasible for resource constrained environments, such as edge devices. To address this problem, we present the \textit{resource-interaction graph} that is built directly from the audit log. We show that the resource-interaction graph's storage requirements are significantly lower than provenance graphs using an open-source data set with two container escape attacks captured from an edge device. We use a graph autoencoder and graph clustering technique to evaluate the representation for an anomaly detection task. Both approaches are unsupervised and are thus suitable for detecting zero-day attacks. The approaches can achieve f1 scores typically over 80\% and in some cases over 90\% for the selected data set and attacks.