TY - GEN
T1 - Sometimes, You Aren’t What You Do
T2 - 30th Annual Network and Distributed System Security Symposium, NDSS 2023
AU - Goyal, Akul
AU - Han, Xueyuan
AU - Wang, Gang
AU - Bates, Adam
N1 - Publisher Copyright:
© 2023 30th Annual Network and Distributed System Security Symposium, NDSS 2023. All Rights Reserved.
PY - 2023
Y1 - 2023
N2 - —Reliable methods for host-layer intrusion detection remained an open problem within computer security. Recent research has recast intrusion detection as a provenance graph anomaly detection problem thanks to concurrent advancements in machine learning and causal graph auditing. While these approaches show promise, their robustness against an adaptive adversary has yet to be proven. In particular, it is unclear if mimicry attacks, which plagued past approaches to host intrusion detection, have a similar effect on modern graph-based methods. In this work, we reveal that systematic design choices have allowed mimicry attacks to continue to abound in provenance graph host intrusion detection systems (Prov-HIDS). Against a corpus of exemplar Prov-HIDS, we develop evasion tactics that allow attackers to hide within benign process behaviors. Evaluating against public datasets, we demonstrate that an attacker can consistently evade detection (100% success rate) without modifying the underlying attack behaviors. We go on to show that our approach is feasible in live attack scenarios and outperforms domain-general adversarial sample techniques. Through open sourcing our code and datasets, this work will serve as a benchmark for the evaluation of future Prov-HIDS.
AB - —Reliable methods for host-layer intrusion detection remained an open problem within computer security. Recent research has recast intrusion detection as a provenance graph anomaly detection problem thanks to concurrent advancements in machine learning and causal graph auditing. While these approaches show promise, their robustness against an adaptive adversary has yet to be proven. In particular, it is unclear if mimicry attacks, which plagued past approaches to host intrusion detection, have a similar effect on modern graph-based methods. In this work, we reveal that systematic design choices have allowed mimicry attacks to continue to abound in provenance graph host intrusion detection systems (Prov-HIDS). Against a corpus of exemplar Prov-HIDS, we develop evasion tactics that allow attackers to hide within benign process behaviors. Evaluating against public datasets, we demonstrate that an attacker can consistently evade detection (100% success rate) without modifying the underlying attack behaviors. We go on to show that our approach is feasible in live attack scenarios and outperforms domain-general adversarial sample techniques. Through open sourcing our code and datasets, this work will serve as a benchmark for the evaluation of future Prov-HIDS.
UR - http://www.scopus.com/inward/record.url?scp=85174051326&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85174051326&partnerID=8YFLogxK
U2 - 10.14722/ndss.2023.24207
DO - 10.14722/ndss.2023.24207
M3 - Conference contribution
AN - SCOPUS:85174051326
T3 - 30th Annual Network and Distributed System Security Symposium, NDSS 2023
BT - 30th Annual Network and Distributed System Security Symposium, NDSS 2023
PB - The Internet Society
Y2 - 27 February 2023 through 3 March 2023
ER -