Resource-Interaction Graph: Efficient Graph Representation for Anomaly Detection

December 16, 2022 · Entered Twilight · 🏛 arXiv.org

Repo contents: .gitattributes, .gitignore, LICENSE, README.md, containers, data, docs, rules, src

Authors James Pope, Jinyuan Liang, Vijay Kumar, Francesco Raimondo, Xinyi Sun, Ryan McConville, Thomas Pasquier, Rob Piechocki, George Oikonomou, Bo Luo, Dan Howarth, Ioannis Mavromatis, Adrian Sanchez Mompo, Pietro Carnelli, Theodoros Spyridopoulos, Aftab Khan arXiv ID 2212.08525 Category cs.CR: Cryptography & Security Cross-listed eess.SY Citations 1 Venue arXiv.org Repository https://github.com/jpope8/container-escape-dataset ⭐ 15 Last Checked 3 months ago

Abstract

Security research has concentrated on converting operating system audit logs into suitable graphs, such as provenance graphs, for analysis. However, provenance graphs can grow very large requiring significant computational resources beyond what is necessary for many security tasks and are not feasible for resource constrained environments, such as edge devices. To address this problem, we present the \textit{resource-interaction graph} that is built directly from the audit log. We show that the resource-interaction graph's storage requirements are significantly lower than provenance graphs using an open-source data set with two container escape attacks captured from an edge device. We use a graph autoencoder and graph clustering technique to evaluate the representation for an anomaly detection task. Both approaches are unsupervised and are thus suitable for detecting zero-day attacks. The approaches can achieve f1 scores typically over 80\% and in some cases over 90\% for the selected data set and attacks.