4.6 Article

Pagoda: A Hybrid Approach to Enable Efficient Real-Time Provenance Based Intrusion Detection in Big Data Environments

Journal

IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING
Volume 17, Issue 6, Pages 1283-1296

Publisher

IEEE COMPUTER SOC
DOI: 10.1109/TDSC.2018.2867595

Keywords

Intrusion detection; Databases; Noise measurement; Big Data; Real-time systems; Aggregates; Provenance; intrusion detection; big data; real-time

Funding

  1. National Science Foundation of China [U1705261, 61821003]
  2. Wuhan Application Basic Research Program [2017010201010104]
  3. Hubei Natural Science and Technology Foundation [2017CFB304]

Ask authors/readers for more resources

Efficient intrusion detection and analysis of the security landscape in big data environments present challenge for today's users. Intrusion behavior can be described by provenance graphs that record the dependency relationships between intrusion processes and the infected files. Existing intrusion detection methods typically analyze and identify the anomaly either in a single provenance path or the whole provenance graph, neither of which can achieve the benefit on both detection accuracy and detection time. We propose Pagoda, a hybrid approach that takes into account the anomaly degree of both a single provenance path and the whole provenance graph. It can identify intrusion quickly if a serious compromise has been found on one path, and can further improve the detection rate by considering the behavior representation in the whole provenance graph. Pagoda uses a persistent memory database to store provenance and aggregates multiple similar items into one provenance record to maximumly reduce unnecessary I/O during the detection analysis. In addition, it encodes duplicate items in the rule database and filters noise that does not contain intrusion information. The experimental results on a wide variety of real-world applications demonstrate its performance and efficiency.

Authors

I am an author on this paper
Click your name to claim this paper and add it to your profile.

Reviews

Primary Rating

4.6
Not enough ratings

Secondary Ratings

Novelty
-
Significance
-
Scientific rigor
-
Rate this paper

Recommended

No Data Available
No Data Available