Incorporating Gradients to Rules: Towards Lightweight, Adaptive Provenance-based Intrusion Detection

TL;DR

This paper introduces CAPTAIN, a lightweight, adaptive, rule-based provenance intrusion detection system that uses gradient-based optimization to improve accuracy and reduce false alarms in diverse environments.

Contribution

It proposes a novel differentiable framework for automatically tuning rules in provenance-based intrusion detection systems using gradient descent.

Findings

Improved detection accuracy over state-of-the-art PIDS.

Reduced false alarms and detection latency.

Lower runtime overhead and enhanced interpretability.

Abstract

As cyber attacks grow increasingly sophisticated and stealthy, it becomes more imperative and challenging to detect intrusion from normal behaviors. Through fine-grained causality analysis, provenance-based intrusion detection systems (PIDS) demonstrated a promising capacity to distinguish benign and malicious behaviors, attracting widespread attention from both industry and academia. Among diverse approaches, rule-based PIDS stands out due to its lightweight overhead, real-time capabilities, and explainability. However, existing rule-based systems suffer low detection accuracy, especially the high false alarms, due to the lack of fine-grained rules and environment-specific configurations. In this paper, we propose CAPTAIN, a rule-based PIDS capable of automatically adapting to diverse environments. Specifically, we propose three adaptive parameters to adjust the detection configuration with respect to nodes, edges, and alarm generation thresholds. We build a differentiable tag propagation framework and utilize the gradient descent algorithm to optimize these adaptive parameters based on the training data. We evaluate our system using data from DARPA Engagements and simulated environments. The evaluation results demonstrate that CAPTAIN enhances rule-based PIDS with learning capabilities, resulting in improved detection accuracy, reduced detection latency, lower runtime overhead, and more interpretable detection procedures and results compared to the state-of-the-art (SOTA) PIDS.