Resource-Interaction Graph: Efficient Graph Representation for Anomaly Detection
Authors:
James Pope,
Jinyuan Liang,
Vijay Kumar,
Francesco Raimondo,
Xinyi Sun,
Ryan McConville,
Thomas Pasquier,
Rob Piechocki,
George Oikonomou,
Bo Luo,
Dan Howarth,
Ioannis Mavromatis,
Adrian Sanchez Mompo,
Pietro Carnelli,
Theodoros Spyridopoulos,
Aftab Khan
Abstract:
Security research has concentrated on converting operating system audit logs into suitable graphs, such as provenance graphs, for analysis. However, provenance graphs can grow very large requiring significant computational resources beyond what is necessary for many security tasks and are not feasible for resource constrained environments, such as edge devices. To address this problem, we present…
▽ More
Security research has concentrated on converting operating system audit logs into suitable graphs, such as provenance graphs, for analysis. However, provenance graphs can grow very large requiring significant computational resources beyond what is necessary for many security tasks and are not feasible for resource constrained environments, such as edge devices. To address this problem, we present the \textit{resource-interaction graph} that is built directly from the audit log. We show that the resource-interaction graph's storage requirements are significantly lower than provenance graphs using an open-source data set with two container escape attacks captured from an edge device. We use a graph autoencoder and graph clustering technique to evaluate the representation for an anomaly detection task. Both approaches are unsupervised and are thus suitable for detecting zero-day attacks. The approaches can achieve f1 scores typically over 80\% and in some cases over 90\% for the selected data set and attacks.
△ Less
Submitted 16 December, 2022;
originally announced December 2022.
