Sometimes, You Aren’t What You Do: Mimicry Attacks against Provenance Graph Host Intrusion Detection Systems

Akul Goyal, Xueyuan Han, Gang Wang, Adam Bates

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

—Reliable methods for host-layer intrusion detection remained an open problem within computer security. Recent research has recast intrusion detection as a provenance graph anomaly detection problem thanks to concurrent advancements in machine learning and causal graph auditing. While these approaches show promise, their robustness against an adaptive adversary has yet to be proven. In particular, it is unclear if mimicry attacks, which plagued past approaches to host intrusion detection, have a similar effect on modern graph-based methods. In this work, we reveal that systematic design choices have allowed mimicry attacks to continue to abound in provenance graph host intrusion detection systems (Prov-HIDS). Against a corpus of exemplar Prov-HIDS, we develop evasion tactics that allow attackers to hide within benign process behaviors. Evaluating against public datasets, we demonstrate that an attacker can consistently evade detection (100% success rate) without modifying the underlying attack behaviors. We go on to show that our approach is feasible in live attack scenarios and outperforms domain-general adversarial sample techniques. Through open sourcing our code and datasets, this work will serve as a benchmark for the evaluation of future Prov-HIDS.

Original languageEnglish (US)
Title of host publication30th Annual Network and Distributed System Security Symposium, NDSS 2023
PublisherThe Internet Society
ISBN (Electronic)1891562835, 9781891562839
DOIs
StatePublished - 2023
Event30th Annual Network and Distributed System Security Symposium, NDSS 2023 - San Diego, United States
Duration: Feb 27 2023Mar 3 2023

Publication series

Name30th Annual Network and Distributed System Security Symposium, NDSS 2023

Conference

Conference30th Annual Network and Distributed System Security Symposium, NDSS 2023
Country/TerritoryUnited States
CitySan Diego
Period2/27/233/3/23

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Control and Systems Engineering
  • Safety, Risk, Reliability and Quality

Fingerprint

Dive into the research topics of 'Sometimes, You Aren’t What You Do: Mimicry Attacks against Provenance Graph Host Intrusion Detection Systems'. Together they form a unique fingerprint.

Cite this