Threat detection and investigation with system-level provenance graphs: A survey

Z Li, QA Chen, R Yang, Y Chen, W Ruan - Computers & Security, 2021 - Elsevier
With the development of information technology, the border of the cyberspace gets much
broader and thus also exposes increasingly more vulnerabilities to attackers. Traditional …

Are we there yet? an industrial viewpoint on provenance-based endpoint detection and response tools

F Dong, S Li, P Jiang, D Li, H Wang, L Huang… - Proceedings of the …, 2023 - dl.acm.org
Provenance-Based Endpoint Detection and Response (P-EDR) systems are deemed crucial
for future Advanced Persistent Threats (APT) defenses. Despite the fact that numerous new …

Holmes: real-time apt detection through correlation of suspicious information flows

SM Milajerdi, R Gjomemo, B Eshete… - … IEEE Symposium on …, 2019 - ieeexplore.ieee.org
In this paper, we present HOLMES, a system that implements a new approach to the
detection of Advanced and Persistent Threats (APTs). HOLMES is inspired by several case …

{ATLAS}: A sequence-based learning approach for attack investigation

A Alsaheel, Y Nan, S Ma, L Yu, G Walkup… - 30th USENIX security …, 2021 - usenix.org
Advanced Persistent Threats (APT) involve multiple attack steps over a long period, and
their investigation requires analysis of myriad logs to identify their attack steps, which are a …

Tactical provenance analysis for endpoint detection and response systems

WU Hassan, A Bates, D Marino - 2020 IEEE Symposium on …, 2020 - ieeexplore.ieee.org
Endpoint Detection and Response (EDR) tools provide visibility into sophisticated intrusions
by matching system events against known adversarial behaviors. However, current solutions …

Shadewatcher: Recommendation-guided cyber threat analysis using system audit records

J Zengy, X Wang, J Liu, Y Chen, Z Liang… - … IEEE Symposium on …, 2022 - ieeexplore.ieee.org
System auditing provides a low-level view into cyber threats by monitoring system entity
interactions. In response to advanced cyber-attacks, one prevalent solution is to apply data …

[PDF][PDF] You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis.

Q Wang, WU Hassan, D Li, K Jee, X Yu, K Zou, J Rhee… - NDSS, 2020 - kangkookjee.io
To subvert recent advances in perimeter and host security, the attacker community has
developed and employed various attack vectors to make a malware much stealthier than …

Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting

SM Milajerdi, B Eshete, R Gjomemo… - Proceedings of the …, 2019 - dl.acm.org
Cyber threat intelligence (CTI) is being used to search for indicators of attacks that might
have compromised an enterprise network for a long time without being discovered. To have …

Nodoze: Combatting threat alert fatigue with automated provenance triage

WU Hassan, S Guo, D Li, Z Chen, K Jee, Z Li… - network and distributed …, 2019 - par.nsf.gov
Large enterprises are increasingly relying on threat detection softwares (eg, Intrusion
Detection Systems) to allow them to spot suspicious activities. These softwares generate …

Extractor: Extracting attack behavior from threat reports

K Satvat, R Gjomemo… - 2021 IEEE European …, 2021 - ieeexplore.ieee.org
The knowledge on attacks contained in Cyber Threat Intelligence (CTI) reports is very
important to effectively identify and quickly respond to cyber threats. However, this …