EagleEye: Attention to Unveil Malicious Event Sequences from Provenance Graphs

TL;DR

EagleEye is a system that uses rich provenance graph features and a Transformer model to detect malicious event sequences, providing high accuracy and interpretability in endpoint security.

Contribution

The paper introduces EagleEye, a novel approach combining provenance graph features and Transformer models for scalable, interpretable malware detection in endpoint logs.

Findings

EagleEye achieves approximately 89% detection rate at 1% false-positive rate on DARPA dataset.

It outperforms state-of-the-art methods by 38.5% in detection accuracy.

The Transformer's attention mechanism helps interpret malware alerts.

Abstract

Securing endpoints is challenging due to the evolving nature of threats and attacks. With endpoint logging systems becoming mature, provenance-graph representations enable the creation of sophisticated behavior rules. However, adapting to the pace of emerging attacks is not scalable with rules. This led to the development of ML models capable of learning from endpoint logs. However, there are still open challenges: i) malicious patterns of malware are spread across long sequences of events, and ii) ML classification results are not interpretable. To address these issues, we develop and present EagleEye, a novel system that i) uses rich features from provenance graphs for behavior event representation, including command-line embeddings, ii) extracts long sequences of events and learns event embeddings, and iii) trains a lightweight Transformer model to classify behavior sequences as malicious or not. We evaluate and compare EagleEye against state-of-the-art baselines on two datasets, namely a new real-world dataset from a corporate environment, and the public DARPA dataset. On the DARPA dataset, at a false-positive rate of 1%, EagleEye detects $\approx$89% of all malicious behavior, outperforming two state-of-the-art solutions by an absolute margin of 38.5%. Furthermore, we show that the Transformer's attention mechanism can be leveraged to highlight the most suspicious events in a long sequence, thereby providing interpretation of malware alerts.