Structural analysis of whole-system provenance graphs

System based provenance generates traces captured from various systems, a representation method for inferring these traces is a graph. These graphs are not well understood, and current work focuses on their extraction and processing, without a thorough characterization being in place. This paper studies the topology of such graphs. We an- alyze multiple Whole-system-Provenance graphs and present that they have hubs-and-authorities model of graphs as well as a power law distri- bution. Our observations allow for a novel understanding of the structure of Whole-system-Provenance graphs.DARP

Possible Jurassic age for part of Rakaia Terrane: implications for tectonic development of the Torlesse accretionary prism

Greywacke sandstone and argillite beds comprising Rakaia Terrane (Torlesse Complex) in mid Canterbury, South Island, New Zealand, are widely regarded as Late Triassic (Norian) in age based on the occurrence of Torlessia trace fossils, Monotis, and other taxa. This paleontological age assignment is tested using published 40Ar/39Ar mica and U-Pb zircon ages for these rocks and published and new zircon fission track (FT) ages. The youngest U-Pb zircon ages in the Rakaia Terrane rocks in mid Canterbury are Norian, whereas 10-20% of the 40Ar/39Ar muscovite ages are younger than Norian. Numerical modelling of these mica ages shows that they cannot have originated from partial thermal overprinting in the Torlesse prism if the thermal maximum was short-lived and early in the prism history (210-190 Ma), as commonly inferred for these rocks. The young component of mica ages could, however, be explained by extended residence (200-100 Ma) at 265-290deg.C in the prism. Early Jurassic (c. 189 Ma) zircon FT ages for sandstone beds from Arthur's Pass, the Rakaia valley, and the Hermitage (Mt Cook) are interpreted not to have experienced maximum temperatures above 210deg.C, and therefore cannot have been reduced as a result of partial annealing in the Torlesse prism. This is based on identification of a fossil Cretaceous, zircon FT, partial annealing zone in low-grade schists to the west, and the characteristics of the age data. The Early Jurassic zircon FT ages and the young component of 40Ar/39Ar mica ages are regarded therefore as detrital ages reflecting cooling in the source area, and constrain the maximum depositional age of parts of the Rakaia Terrane in mid Canterbury. The zircon FT data also show the initiation (c. 100 Ma) of marked and widespread Late Cretaceous cooling of Rakaia Terrane throughout Canterbury, which is attributed to uplift and erosion of inboard parts of the Torlesse prism due to continuing subduction accretion at its toe. The critical wedge concept is proposed as a new framework for investigating the development of the Torlesse Complex. The Rakaia Terrane may have formed the core of an accretionary wedge imbricated against the New Zealand margin during the Middle or Late Jurassic. Late Jurassic nonmarine sediments (e.g., Clent Hills Formation) accumulated upon the inner parts of the prism as it enlarged, emerged, and continued to be imbricated. Exhumation of Otago Schist from c. 135 Ma may mark the development of a balance (steady state) between sediments entering the prism at the toe and material exiting at the inboard margin. The enlargement of the area of exhumation to all of Canterbury from c. 100 Ma may reflect a dynamic response to widening of the prism through the accretion of Cretaceous sediments. The model of a dynamic critical wedge may help to explain the various expressions of the Rangitata Orogeny

Kairos: Practical Intrusion Detection and Investigation using Whole-system Provenance

Provenance graphs are structured audit logs that describe the history of a system's execution. Recent studies have explored a variety of techniques to analyze provenance graphs for automated host intrusion detection, focusing particularly on advanced persistent threats. Sifting through their design documents, we identify four common dimensions that drive the development of provenance-based intrusion detection systems (PIDSes): scope (can PIDSes detect modern attacks that infiltrate across application boundaries?), attack agnosticity (can PIDSes detect novel attacks without a priori knowledge of attack characteristics?), timeliness (can PIDSes efficiently monitor host systems as they run?), and attack reconstruction (can PIDSes distill attack activity from large provenance graphs so that sysadmins can easily understand and quickly respond to system intrusion?). We present KAIROS, the first PIDS that simultaneously satisfies the desiderata in all four dimensions, whereas existing approaches sacrifice at least one and struggle to achieve comparable detection performance. Kairos leverages a novel graph neural network-based encoder-decoder architecture that learns the temporal evolution of a provenance graph's structural changes to quantify the degree of anomalousness for each system event. Then, based on this fine-grained information, Kairos reconstructs attack footprints, generating compact summary graphs that accurately describe malicious activity over a stream of system audit logs. Using state-of-the-art benchmark datasets, we demonstrate that Kairos outperforms previous approaches.Comment: 23 pages, 16 figures, to appear in the 45th IEEE Symposium on Security and Privacy (S&P'24

Towards information profiling: data lake content metadata management

There is currently a burst of Big Data (BD) processed and stored in huge raw data repositories, commonly called Data Lakes (DL). These BD require new techniques of data integration and schema alignment in order to make the data usable by its consumers and to discover the relationships linking their content. This can be provided by metadata services which discover and describe their content. However, there is currently a lack of a systematic approach for such kind of metadata discovery and management. Thus, we propose a framework for the profiling of informational content stored in the DL, which we call information profiling. The profiles are stored as metadata to support data analysis. We formally define a metadata management process which identifies the key activities required to effectively handle this.We demonstrate the alternative techniques and performance of our process using a prototype implementation handling a real-life case-study from the OpenML DL, which showcases the value and feasibility of our approach.Peer ReviewedPostprint (author's final draft