METANOIA: A Lifelong Intrusion Detection and Investigation System for Mitigating Concept Drift

TL;DR

METANOIA is a novel lifelong intrusion detection system that effectively mitigates concept drift, reduces false positives, and reconstructs attack scenarios using incremental learning and graph-based techniques.

Contribution

It introduces the first lifelong detection system that addresses concept drift challenges in intrusion detection with innovative methods for alert precision and attack reconstruction.

Findings

Improves precision by up to 54% at graph level.

Reduces false positives significantly compared to previous methods.

Effectively reconstructs attack scenarios using mini-graphs.

Abstract

As Advanced Persistent Threat (APT) complexity increases, provenance data is increasingly used for detection. Anomaly-based systems are gaining attention due to their attack-knowledge-agnostic nature and ability to counter zero-day vulnerabilities. However, traditional detection paradigms, which train on offline, limited-size data, often overlook concept drift - unpredictable changes in streaming data distribution over time. This leads to high false positive rates. We propose incremental learning as a new paradigm to mitigate this issue. However, we identify FOUR CHALLENGES while integrating incremental learning as a new paradigm. First, the long-running incremental system must combat catastrophic forgetting (C1) and avoid learning malicious behaviors (C2). Then, the system needs to achieve precise alerts (C3) and reconstruct attack scenarios (C4). We present METANOIA, the first lifelong detection system that mitigates the high false positives due to concept drift. It connects pseudo edges to combat catastrophic forgetting, transfers suspicious states to avoid learning malicious behaviors, filters nodes at the path-level to achieve precise alerts, and constructs mini-graphs to reconstruct attack scenarios. Using state-of-the-art benchmarks, we demonstrate that METANOIA improves precision performance at the window-level, graph-level, and node-level by 30%, 54%, and 29%, respectively, compared to previous approaches.