ORCHID: Streaming Threat Detection over Versioned Provenance Graphs
Akul Goyal, Jason Liu, Adam Bates, Gang Wang
TL;DR
ORCHID is a real-time, memory-efficient provenance-based intrusion detection system that leverages versioned graphs and RNNs to improve threat detection accuracy and reduce false alarms in endpoint security.
Contribution
This paper introduces ORCHID, a novel streaming Prov-IDS that uses versioned provenance graphs and RNNs for efficient, real-time process threat detection.
Findings
ORCHID achieves competitive classification accuracy.
It eliminates detection lag in threat identification.
Reduces memory consumption by two orders of magnitude.
Abstract
While Endpoint Detection and Response (EDR) are able to efficiently monitor threats by comparing static rules to the event stream, their inability to incorporate past system context leads to high rates of false alarms. Recent work has demonstrated Provenance-based Intrusion Detection Systems (Prov-IDS) that can examine the causal relationships between abnormal behaviors to improve threat classification. However, employing these Prov-IDS in practical settings remains difficult -- state-of-the-art neural network based systems are only fast in a fully offline deployment model that increases attacker dwell time, while simultaneously using simplified and less accurate provenance graphs to reduce memory consumption. Thus, today's Prov-IDS cannot operate effectively in the real-time streaming setting required for commercial EDR viability. This work presents the design and implementation of…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsScientific Computing and Data Management · Data Quality and Management · Advanced Malware Detection Techniques