Structured audit logs, known as provenance graphs, outline system execution history, and recent studies investigate using them for automated host intrusion detection, stressing on APTs mainly.
The following cybersecurity researchers from their respective institutions and universities conducted a new study in which they unveiled “KAIROS”:-
- Zijun Cheng (School of Cyber Security, University of Chinese Academy of Sciences, China, Institute of Information Engineering, Chinese Academy of Sciences, China)
- Qiujian Lv (Institute of Information Engineering, Chinese Academy of Sciences, China)
- Jinyuan Liang (University of British Columbia, British Columbia, Canada)
- Degang Sun (Institute of Information Engineering, Chinese Academy of Sciences, China)
- Thomas Pasquier (University of British Columbia, British Columbia, Canada)
- Xueyuan Han (Wake Forest University, North Carolina, United States)
While KAIROS is the new practical intrusion detection approach that improves the performance of the detection.
KAIROS utilizes the unique graph neural network encoder-decoder to learn temporal provenance graph structural changes, and then it measures the degree of the unusual event effectively.
New intrusion detection employs kernel-level causal dependency graphs. It detects provenance malicious events that may appear identical but differ due to temporal or spatial aspects.
System-level Data Provenance
The data provenance at the system level tracks flows among kernel objects like:-
While the provenance graph models the interactions with directed edges representing system call results.
KAIROS primarily analyzes the network-wide kernel interactions, which is essential for detecting complex intrusions like APTs that span hosts and applications.
KAIROS Intrusion Detection
KAIROS detects APTs, and reconstructs scenarios without prior attack knowledge, but assumes existing system hardening for audit framework security.
For anomaly detection in provenance graphs, correlating anomalies based on kernel object info flows, KAIROS utilizes advanced deep graph learning with causal dependencies.
Not only that, even for efficient human-in-the-loop forensic analysis, KAIROS also offers concise, insightful summary graphs.
Here below, we have mentioned the four major components of the architecture of KAIROS:-
- Graph Construction and Representation
- Graph Learning
- Anomaly Detection
- Anomaly Investigation
Besides this, for datasets, researchers opted two options:-
- Manzoor et al.
Here, the researchers utilized DARPA’s TC and OpTC program datasets, simulating real-world APTs on enterprise networks.
While the red team launched attacks on security-critical services while engaging in benign activities. A separate team employed provenance capture systems (CADETS, ClearScope, THEIA) across platforms for host activity recording.
KAIROS is one of the first systems in its category that detects anomalies and forms attack graphs without prior information. Apart from this, it excels in real-time monitoring, outperforms competitors, and adds minimal load.