GRASP -- Graph-Based Anomaly Detection Through Self-Supervised Classification

TL;DR

GRASP is a self-supervised, graph-based intrusion detection system that identifies anomalies by inferring executable behavior patterns from provenance graphs, improving detection stability and uncovering unknown threats.

Contribution

It introduces a novel masked self-supervised classification approach for provenance-based intrusion detection that does not rely on thresholds and considers process executable information.

Findings

GRASP outperforms existing systems on DARPA datasets.

It detects all documented attacks where executable behavior is learnable.

GRASP uncovers malicious behaviors not labeled as attacks.

Abstract

Advanced persistent threat (APT) attacks remain difficult to detect due to their stealth, adaptability, and use of legitimate system components. Provenance-based intrusion detection systems (PIDS) offer a promising defense by capturing detailed relationships between system components and actions. However, current PIDS rely on predefined or subset-determined thresholds, which limit detection stability and the ability to detect any anomalous behavior in general. Furthermore, related work often neglects the role of process executables, which describe system activity by interacting through a process with files, network components, and other processes. We introduce GRASP, a PIDS based on masked self-supervised classification. GRASP masks the executable information of processes and learns to infer it from their two-hop provenance graph neighborhood, marking misclassified processes as anomalies. It captures behavior patterns for the learned executables without thresholding, making it robust against interference and unknown activities. Evaluations on the DARPA TC and OpTC datasets demonstrate that GRASP consistently detects anomalous behavior, including known attack-related activities, outperforming existing systems. Our PIDS identifies all documented attacks on datasets where the behavior of executables is learnable. In addition, compared to existing systems, GRASP uncovers potentially malicious anomalous behavior not labeled as an attack in the documentation.