Kairos: Practical Intrusion Detection and Investigation using Whole-system Provenance

Provenance graphs are structured audit logs that describe the history of a system's execution. Recent studies have explored a variety of techniques to analyze provenance graphs for automated host intrusion detection, focusing particularly on advanced persistent threats. Sifting through their design documents, we identify four common dimensions that drive the development of provenance-based intrusion detection systems (PIDSes): scope (can PIDSes detect modern attacks that infiltrate across application boundaries?), attack agnosticity (can PIDSes detect novel attacks without a priori knowledge of attack characteristics?), timeliness (can PIDSes efficiently monitor host systems as they run?), and attack reconstruction (can PIDSes distill attack activity from large provenance graphs so that sysadmins can easily understand and quickly respond to system intrusion?). We present KAIROS, the first PIDS that simultaneously satisfies the desiderata in all four dimensions, whereas existing approaches sacrifice at least one and struggle to achieve comparable detection performance. Kairos leverages a novel graph neural network-based encoder-decoder architecture that learns the temporal evolution of a provenance graph's structural changes to quantify the degree of anomalousness for each system event. Then, based on this fine-grained information, Kairos reconstructs attack footprints, generating compact summary graphs that accurately describe malicious activity over a stream of system audit logs. Using state-of-the-art benchmark datasets, we demonstrate that Kairos outperforms previous approaches.Comment: 23 pages, 16 figures, to appear in the 45th IEEE Symposium on Security and Privacy (S&P'24

Provenance of plumes in global convection models

In global convection models constrained by plume motions and subduction history over the last 230 Myr, plumes emerge preferentially from the edges of thermochemical structures that resemble present-day large low shear velocity provinces (LLSVPs) beneath Africa and the Pacific Ocean. It has been argued that large igneous provinces (LIPs) erupting since 200 Ma may originate from plumes that emerged from the edges of the LLSVPs and numerical models have been devised to validate this hypothesis. Although qualitative assessments that are broadly in agreement with this hypothesis have been derived from numerical models, a quantitative assessment has been lacking. We present a novel plume detection scheme and derive Monte Carlo-based statistical correlations of model plume eruption sites and reconstructed LIP eruption sites. We show that models with a chemically anomalous lower mantle are highly correlated to reconstructed LIP eruption sites, whereas the confidence level obtained for a model with purely thermal plumes falls just short of 95%. A network of embayments separated by steep ridges form in the deep lower mantle in models with a chemically anomalous lower mantle. Plumes become anchored to the peaks of the chemical ridges and the network of ridges acts as a floating anchor, adjusting to slab push forces through time. The network of ridges imposes a characteristic separation between conduits that can extend into the interior of the thermochemical structures. This may explain the observed clustering of reconstructed LIP eruption sites that mostly but not exclusively occur around the present-day LLSVPs

ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks

Despite the fact that cyberattacks are constantly growing in complexity, the research community still lacks effective tools to easily monitor and understand them. In particular, there is a need for techniques that are able to not only track how prominently certain malicious actions, such as the exploitation of specific vulnerabilities, are exploited in the wild, but also (and more importantly) how these malicious actions factor in as attack steps in more complex cyberattacks. In this paper we present ATTACK2VEC, a system that uses temporal word embeddings to model how attack steps are exploited in the wild, and track how they evolve. We test ATTACK2VEC on a dataset of billions of security events collected from the customers of a commercial Intrusion Prevention System over a period of two years, and show that our approach is effective in monitoring the emergence of new attack strategies in the wild and in flagging which attack steps are often used together by attackers (e.g., vulnerabilities that are frequently exploited together). ATTACK2VEC provides a useful tool for researchers and practitioners to better understand cyberattacks and their evolution, and use this knowledge to improve situational awareness and develop proactive defenses

A baseline for unsupervised advanced persistent threat detection in system-level provenance

Advanced persistent threats (APT) are stealthy, sophisticated, and unpredictable cyberattacks that can steal intellectual property, damage critical infrastructure, or cause millions of dollars in damage. Detecting APTs by monitoring system-level activity is difficult because manually inspecting the high volume of normal system activity is overwhelming for security analysts. We evaluate the effectiveness of unsupervised batch and streaming anomaly detection algorithms over multiple gigabytes of provenance traces recorded on four different operating systems to determine whether they can detect realistic APT-like attacks reliably and efficiently. This report is the first detailed study of the effectiveness of generic unsupervised anomaly detection techniques in this setting

Knowledge will Propel Machine Understanding of Content: Extrapolating from Current Examples

Machine Learning has been a big success story during the AI resurgence. One particular stand out success relates to learning from a massive amount of data. In spite of early assertions of the unreasonable effectiveness of data, there is increasing recognition for utilizing knowledge whenever it is available or can be created purposefully. In this paper, we discuss the indispensable role of knowledge for deeper understanding of content where (i) large amounts of training data are unavailable, (ii) the objects to be recognized are complex, (e.g., implicit entities and highly subjective content), and (iii) applications need to use complementary or related data in multiple modalities/media. What brings us to the cusp of rapid progress is our ability to (a) create relevant and reliable knowledge and (b) carefully exploit knowledge to enhance ML/NLP techniques. Using diverse examples, we seek to foretell unprecedented progress in our ability for deeper understanding and exploitation of multimodal data and continued incorporation of knowledge in learning techniques.Comment: Pre-print of the paper accepted at 2017 IEEE/WIC/ACM International Conference on Web Intelligence (WI). arXiv admin note: substantial text overlap with arXiv:1610.0770

Timing and Characterization of the Change in the Redox State of Uranium in Precambrian Surface Environments: A Proxy for the Oxidation State of the Atmosphere

The redox-sensitive geochemical behavior of uranium permits the use of Th/U ratios as a geochemical proxy for the oxidation state of the atmosphere and oceans during sedimentary processes. Due to the effects of post-depositional uranium mobility on Th/U ratios during events involving oxygenated fluids, direct measurements of Th/U ratios are often misleading, but the whole rock Pb isotope composition may be used to determine a sample¡¦s apparent time-integrated Th/U ratio (ƒÛa) and the timing associated with the onset of the U-Th-Pb geochemistry. Rare earth element (REE) concentrations were determined by isotope dilution mass spectrometry to evaluate the influence of multiple provenance components and potential mobility of Th, U, and Pb during post-depositional processes on the Th/U ratio. The Pb isotope compositions and REE concentrations were determined for six Paleoproterozoic sedimentary sequences, which were the focus of previous studies involving the timing of the rise of atmospheric oxygen. The Mount McRae Shale, Huronian Supergroup, and Zaonezhskaya Formation have been interpreted as experiencing post-depositional alteration (perhaps associated with orogenic events) due to Pb-Pb ages that are younger than the likely depositional age and observed fractionation of REE in chondrite normalized REE patterns and interelement REE ratios (e.g. La/Nd, La/Yb, Eu/Eu*). Similar geochemical proxies have been interpreted as sedimentary geochemical features of the Timeball Hill Formation, Hotazel Formation, and Sengoma Argillite Formation. This study of Paleoproterozoic sedimentary units constrains the onset of U-Th decoupling, most likely due to the onset of oxidative weathering conditions, began by 2.32 Ga, the latest