As cyberattacks targeting edge devices become increasingly sophisticated, detecting intrusion behaviors becomes increasingly difficult, demanding effective intrusion detection systems (IDS) tailored for resource-constrained environments. Existing provenance-based IDSs show a promising ability to detect benign and attack behaviors, but require a lot of computing resources to build provenance graphs, which is not conducive to edge deployment. To address this gap, we propose a semantic-aware provenance-based IDS, which constructs provenance graphs and prioritizes security-critical events using semantic roles. Through structural and semantic analysis on the DARPA Engagement 3 (CADETS) dataset, we show that role-annotated subgraphs exhibit measurable divergence b etween benign and attack activities, with certain roles (e.g., binary-execution) appearing over 3 \(\times \) more frequently in attack traces, demonstrating the feasibility of semantic priors for lightweight intrusion detection.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Semantic-Aware Provenance-Based Intrusion Detection for Edge Systems

  • Qingyu Zeng,
  • Songxuan Liu,
  • Yu Wu,
  • Yuko Hara

摘要

As cyberattacks targeting edge devices become increasingly sophisticated, detecting intrusion behaviors becomes increasingly difficult, demanding effective intrusion detection systems (IDS) tailored for resource-constrained environments. Existing provenance-based IDSs show a promising ability to detect benign and attack behaviors, but require a lot of computing resources to build provenance graphs, which is not conducive to edge deployment. To address this gap, we propose a semantic-aware provenance-based IDS, which constructs provenance graphs and prioritizes security-critical events using semantic roles. Through structural and semantic analysis on the DARPA Engagement 3 (CADETS) dataset, we show that role-annotated subgraphs exhibit measurable divergence b etween benign and attack activities, with certain roles (e.g., binary-execution) appearing over 3 \(\times \) more frequently in attack traces, demonstrating the feasibility of semantic priors for lightweight intrusion detection.