Logo image
Back
Provenance-based Intrusion Detection Systems: A Survey
Journal article   Peer reviewed

Provenance-based Intrusion Detection Systems: A Survey

Michael Zipperle, Florian Gottwalt, Elizabeth Chang and Tharam Dillon
ACM Computing Surveys, Vol.55(7), pp.1-36
2023
DOI: https://doi.org/10.1145/3539605
url
https://doi.org/10.1145/3539605View
Published Version Open

Abstract

Graph-based database models Information systems Intrusion detection systems Security and privacy
Traditional Intrusion Detection Systems (IDS) cannot cope with the increasing number and sophistication of cyberattacks such as Advanced Persistent Threats (APT). Due to their high false-positive rate and the required effort of security experts to validate them, incidents can remain undetected for up to several months. As a result, enterprises suffer from data loss and severe financial damage. Recent research explored data provenance for Host-based Intrusion Detection Systems (HIDS) as one promising data source to tackle this issue. Data provenance represents information flows between system entities as Direct Acyclic Graph (DAG). Provenance-based Intrusion Detection Systems (PIDS) utilize data provenance to enhance the detection performance of intrusions and reduce false-alarm rates compared to traditional IDS. This survey demonstrates the potential of PIDS by providing a detailed evaluation of recent research in the field, proposing a novel taxonomy for PIDS, discussing current issues, and potential future research directions. This survey aims to help and motivate researchers to get started in the field of PIDS by tackling issues of data collection, graph summarization, intrusion detection, and developing real-world benchmark datasets.

Details

Metrics

1 Record Views
Logo image