THREATRACE: Detecting and Tracing Host-Based Threats in Node Level Through Provenance Graph Learning

Host-based threats such as Program Attack, Malware Implantation, and Advanced Persistent Threats (APT), are commonly adopted by modern attackers. Recent studies propose leveraging the rich contextual information in data provenance to detect a host. Data is directed acyclic graph constructed from system audit data. Nodes represent entities (e.g., processes xmlns:xlink="http://www.w3.org/1999/xlink">files ) edges calls direction of flow. However, previous studies, which extract features graph, not sensitive small quantity threat-related thus result low performance when hunting stealthy threats. We present THREATRACE, an anomaly-based detector that detects host-based at entity level without prior knowledge attack patterns. tailor GraphSAGE, inductive neural network, learn every benign entity’s role graph. THREATRACE real-time system, scalable monitoring long-term running host capable detecting intrusion their early phase. evaluate on five public datasets. The results show outperforms seven state-of-the-art detection systems.