R-CAID: Embedding Root Cause Analysis within Provenance-based Intrusion Detection

Akul Goyal, Gang Wang, Adam Bates

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

In modern enterprise security, endpoint detection products fire an alert when process activity matches known attack behavior patterns. Human analysts then perform Root Cause Analysis (RCA) over event logs to determine if the alert is indicative of an actual attack. Data Provenance can help to automate RCA by representing event logs as a causal dependency graphs; in fact, researchers are now examining whether provenance-based anomaly detection should replace pattern-based detection altogether. Unfortunately, we observe that current approaches leverage off-the-shelf graph embedding techniques that are unable to associate events with their root causes. This shortcoming not only fails to capitalize on the RCA capabilities of provenance, but also leaves provenance-based IDS vulnerable to mimicry and evasion attacks.This work presents the design and implementation of R-CAID, a novel approach to incorporate RCA into provenance-based IDS. R-CAID precomputes each node's root causes during graph construction, then directly links those nodes to their root causes during embedding. Further, R-CAID's classification model is node/process-level, rather than graph/system-level, bringing it more in line with the precision of commercial systems. Under a passive adversary model, we find that R-CAID consistently outperforms baseline graph neural networks, sequence-based log IDS, and even a commercial endpoint detection system. Under a white-box active adversary model, R-CAID maintains a high level of performance (e.g., for DARPA Theia, 0.94 AUC adversarial down from 0.99 passive). R-CAID achieves this by associating each system entity with its immutable and unforgeable root causes, preventing adversaries from being able to masquerade as legitimate processes. This work is thus the first to demonstrate the promise of provenance-based IDS in a manner that avoids the pitfalls of mimicry and evasion.

Original languageEnglish (US)
Title of host publicationProceedings - 45th IEEE Symposium on Security and Privacy, SP 2024
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages3515-3532
Number of pages18
ISBN (Electronic)9798350331301
DOIs
StatePublished - 2024
Event45th IEEE Symposium on Security and Privacy, SP 2024 - San Francisco, United States
Duration: May 20 2024May 23 2024

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
ISSN (Print)1081-6011

Conference

Conference45th IEEE Symposium on Security and Privacy, SP 2024
Country/TerritoryUnited States
CitySan Francisco
Period5/20/245/23/24

Keywords

  • Intrusion detection

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'R-CAID: Embedding Root Cause Analysis within Provenance-based Intrusion Detection'. Together they form a unique fingerprint.

Cite this