-
Incorporating Gradients to Rules: Towards Lightweight, Adaptive Provenance-based Intrusion Detection
Authors:
Lingzhi Wang,
Xiangmin Shen,
Weijian Li,
Zhenyuan Li,
R. Sekar,
Han Liu,
Yan Chen
Abstract:
As cyber attacks grow increasingly sophisticated and stealthy, it becomes more imperative and challenging to detect intrusion from normal behaviors. Through fine-grained causality analysis, provenance-based intrusion detection systems (PIDS) demonstrated a promising capacity to distinguish benign and malicious behaviors, attracting widespread attention from both industry and academia. Among divers…
▽ More
As cyber attacks grow increasingly sophisticated and stealthy, it becomes more imperative and challenging to detect intrusion from normal behaviors. Through fine-grained causality analysis, provenance-based intrusion detection systems (PIDS) demonstrated a promising capacity to distinguish benign and malicious behaviors, attracting widespread attention from both industry and academia. Among diverse approaches, rule-based PIDS stands out due to its lightweight overhead, real-time capabilities, and explainability. However, existing rule-based systems suffer low detection accuracy, especially the high false alarms, due to the lack of fine-grained rules and environment-specific configurations. In this paper, we propose CAPTAIN, a rule-based PIDS capable of automatically adapting to diverse environments. Specifically, we propose three adaptive parameters to adjust the detection configuration with respect to nodes, edges, and alarm generation thresholds. We build a differentiable tag propagation framework and utilize the gradient descent algorithm to optimize these adaptive parameters based on the training data. We evaluate our system using data from DARPA Engagements and simulated environments. The evaluation results demonstrate that CAPTAIN enhances rule-based PIDS with learning capabilities, resulting in improved detection accuracy, reduced detection latency, lower runtime overhead, and more interpretable detection procedures and results compared to the state-of-the-art (SOTA) PIDS.
△ Less
Submitted 19 September, 2024; v1 submitted 22 April, 2024;
originally announced April 2024.
-
Product age based demand forecast model for fashion retail
Authors:
Rajesh Kumar Vashishtha,
Vibhati Burman,
Rajan Kumar,
Srividhya Sethuraman,
Abhinaya R Sekar,
Sharadha Ramanan
Abstract:
Fashion retailers require accurate demand forecasts for the next season, almost a year in advance, for demand management and supply chain planning purposes. Accurate forecasts are important to ensure retailers' profitability and to reduce environmental damage caused by disposal of unsold inventory. It is challenging because most products are new in a season and have short life cycles, huge sales v…
▽ More
Fashion retailers require accurate demand forecasts for the next season, almost a year in advance, for demand management and supply chain planning purposes. Accurate forecasts are important to ensure retailers' profitability and to reduce environmental damage caused by disposal of unsold inventory. It is challenging because most products are new in a season and have short life cycles, huge sales variations and long lead-times. In this paper, we present a novel product age based forecast model, where product age refers to the number of weeks since its launch, and show that it outperforms existing models. We demonstrate the robust performance of the approach through real world use case of a multinational fashion retailer having over 300 stores, 35k items and around 40 categories. The main contributions of this work include unique and significant feature engineering for product attribute values, accurate demand forecast 6-12 months in advance and extending our approach to recommend product launch time for the next season. We use our fashion assortment optimization model to produce list and quantity of items to be listed in a store for the next season that maximizes total revenue and satisfies business constraints. We found a revenue uplift of 41% from our framework in comparison to the retailer's plan. We also compare our forecast results with the current methods and show that it outperforms existing models. Our framework leads to better ordering, inventory planning, assortment planning and overall increase in profit for the retailer's supply chain.
△ Less
Submitted 10 July, 2020;
originally announced July 2020.
-
Planning to Explore via Self-Supervised World Models
Authors:
Ramanan Sekar,
Oleh Rybkin,
Kostas Daniilidis,
Pieter Abbeel,
Danijar Hafner,
Deepak Pathak
Abstract:
Reinforcement learning allows solving complex tasks, however, the learning tends to be task-specific and the sample efficiency remains a challenge. We present Plan2Explore, a self-supervised reinforcement learning agent that tackles both these challenges through a new approach to self-supervised exploration and fast adaptation to new tasks, which need not be known during exploration. During explor…
▽ More
Reinforcement learning allows solving complex tasks, however, the learning tends to be task-specific and the sample efficiency remains a challenge. We present Plan2Explore, a self-supervised reinforcement learning agent that tackles both these challenges through a new approach to self-supervised exploration and fast adaptation to new tasks, which need not be known during exploration. During exploration, unlike prior methods which retrospectively compute the novelty of observations after the agent has already reached them, our agent acts efficiently by leveraging planning to seek out expected future novelty. After exploration, the agent quickly adapts to multiple downstream tasks in a zero or a few-shot manner. We evaluate on challenging control tasks from high-dimensional image inputs. Without any training supervision or task-specific interaction, Plan2Explore outperforms prior self-supervised exploration methods, and in fact, almost matches the performances oracle which has access to rewards. Videos and code at https://ramanans1.github.io/plan2explore/
△ Less
Submitted 30 June, 2020; v1 submitted 12 May, 2020;
originally announced May 2020.
-
HOLMES: Real-time APT Detection through Correlation of Suspicious Information Flows
Authors:
Sadegh M. Milajerdi,
Rigel Gjomemo,
Birhanu Eshete,
R. Sekar,
V. N. Venkatakrishnan
Abstract:
In this paper, we present HOLMES, a system that implements a new approach to the detection of Advanced and Persistent Threats (APTs). HOLMES is inspired by several case studies of real-world APTs that highlight some common goals of APT actors. In a nutshell, HOLMES aims to produce a detection signal that indicates the presence of a coordinated set of activities that are part of an APT campaign. On…
▽ More
In this paper, we present HOLMES, a system that implements a new approach to the detection of Advanced and Persistent Threats (APTs). HOLMES is inspired by several case studies of real-world APTs that highlight some common goals of APT actors. In a nutshell, HOLMES aims to produce a detection signal that indicates the presence of a coordinated set of activities that are part of an APT campaign. One of the main challenges addressed by our approach involves developing a suite of techniques that make the detection signal robust and reliable. At a high-level, the techniques we develop effectively leverage the correlation between suspicious information flows that arise during an attacker campaign. In addition to its detection capability, HOLMES is also able to generate a high-level graph that summarizes the attacker's actions in real-time. This graph can be used by an analyst for an effective cyber response. An evaluation of our approach against some real-world APTs indicates that HOLMES can detect APT campaigns with high precision and low false alarm rate. The compact high-level graphs produced by HOLMES effectively summarizes an ongoing attack campaign and can assist real-time cyber-response operations.
△ Less
Submitted 17 January, 2019; v1 submitted 3 October, 2018;
originally announced October 2018.
-
SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data
Authors:
Md Nahid Hossain,
Sadegh M Milajerdi,
Junao Wang,
Birhanu Eshete,
Rigel Gjomemo,
R Sekar,
Scott Stoller,
VN Venkatakrishnan
Abstract:
We present an approach and system for real-time reconstruction of attack scenarios on an enterprise host. To meet the scalability and real-time needs of the problem, we develop a platform-neutral, main-memory based, dependency graph abstraction of audit-log data. We then present efficient, tag-based techniques for attack detection and reconstruction, including source identification and impact anal…
▽ More
We present an approach and system for real-time reconstruction of attack scenarios on an enterprise host. To meet the scalability and real-time needs of the problem, we develop a platform-neutral, main-memory based, dependency graph abstraction of audit-log data. We then present efficient, tag-based techniques for attack detection and reconstruction, including source identification and impact analysis. We also develop methods to reveal the big picture of attacks by construction of compact, visual graphs of attack steps. Our system participated in a red team evaluation organized by DARPA and was able to successfully detect and reconstruct the details of the red team's attacks on hosts running Windows, FreeBSD and Linux.
△ Less
Submitted 6 January, 2018;
originally announced January 2018.
-
Attack Analysis Results for Adversarial Engagement 1 of the DARPA Transparent Computing Program
Authors:
Birhanu Eshete,
Rigel Gjomemo,
Md Nahid Hossain,
Sadegh Momeni,
R. Sekar,
Scott Stoller,
V. N. Venkatakrishnan,
Junao Wang
Abstract:
This report presents attack analysis results of the first adversarial engagement event stream for the first engagement of the DARPA TC program conducted in October 2016. The analysis was performed by Stony Brook University and University of Illinois at Chicago. The findings in this report are obtained without prior knowledge of the attacks conducted.
This report presents attack analysis results of the first adversarial engagement event stream for the first engagement of the DARPA TC program conducted in October 2016. The analysis was performed by Stony Brook University and University of Illinois at Chicago. The findings in this report are obtained without prior knowledge of the attacks conducted.
△ Less
Submitted 21 October, 2016;
originally announced October 2016.
