Benign Activity Extraction for Dependency Reduction in Data Provenance-Based Attack Analysis
摘要
In order to effectively identify malicious activities in computer systems, Data Provenance-based analysis has been proposed to automatically correlate and visualize dependencies between events. However, a significant challenge known as “dependency explosion” arises when numerous benign activities are included in the generated graph, making it difficult to isolate attack-related activities. This paper proposes a novel method to address dependency explosion by extracting and removing patterns of frequently occurring benign activities using natural language processing and similarity-based analysis of log data. Unlike previous approaches that either exclude individual benign events or focus on extracting malicious activities, our method identifies benign activity patterns at an activity level without requiring frequent retraining. Experiments using the DARPA Transparent Computing Dataset demonstrate that approximately 6.8% to 39% of activities within a computer system can be defined as patterned benign activities. Additionally, our approach can reduce the dependency graph by up to 52.3% while introducing no false negatives. Furthermore, benign activities extracted from a small portion of log data (approximately 1.4% to 3.2%) effectively reduced the search space in large datasets, demonstrating the efficiency and adaptability of the proposed method.