Attack structure matters: Causality-preserving metrics for Provenance-based Intrusion Detection Systems

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-07-23 DOI:10.1016/j.cose.2025.104578

Manuel Suarez-Roman, Juan Tapiador

{"title":"Attack structure matters: Causality-preserving metrics for Provenance-based Intrusion Detection Systems","authors":"Manuel Suarez-Roman, Juan Tapiador","doi":"10.1016/j.cose.2025.104578","DOIUrl":null,"url":null,"abstract":"<div><div>Provenance-based Intrusion Detection Systems (PIDS) detect attacks and reconstruct attack scenarios by analyzing provenance graphs. These graphs, constructed from events captured by system logs and security sensors, model the causal relationships between operations performed by system entities. In PIDS research, evaluations typically rely on standard metrics such as precision and recall, computed at the graph level. To assess the accuracy of reconstructed attack graphs, researchers often use proxy metrics at the node level, as computing similarity between provenance graphs remains an open problem. In this paper, we address this problem by introducing SDTED (Structure and Depth Preserving Tree Edit Distance), a variant of the recently proposed Generalized Weisfeiler–Lehman Graph Kernel, adapted to capture the distinctive properties of provenance graphs. Using a dataset of attack scenarios from the DARPA Engagements program, we show that SDTED accurately measures similarity between provenance graphs in cases where node-level metrics yield suboptimal results. Moreover, SDTED is capable of detecting changes in causal relationships between provenance graphs, an essential property for robust evaluation of PIDS proposals. We open source our implementation of SDTED to support reproducibility and encourage adoption within the research community.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104578"},"PeriodicalIF":5.4000,"publicationDate":"2025-07-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825002676","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Provenance-based Intrusion Detection Systems (PIDS) detect attacks and reconstruct attack scenarios by analyzing provenance graphs. These graphs, constructed from events captured by system logs and security sensors, model the causal relationships between operations performed by system entities. In PIDS research, evaluations typically rely on standard metrics such as precision and recall, computed at the graph level. To assess the accuracy of reconstructed attack graphs, researchers often use proxy metrics at the node level, as computing similarity between provenance graphs remains an open problem. In this paper, we address this problem by introducing SDTED (Structure and Depth Preserving Tree Edit Distance), a variant of the recently proposed Generalized Weisfeiler–Lehman Graph Kernel, adapted to capture the distinctive properties of provenance graphs. Using a dataset of attack scenarios from the DARPA Engagements program, we show that SDTED accurately measures similarity between provenance graphs in cases where node-level metrics yield suboptimal results. Moreover, SDTED is capable of detecting changes in causal relationships between provenance graphs, an essential property for robust evaluation of PIDS proposals. We open source our implementation of SDTED to support reproducibility and encourage adoption within the research community.

查看原文本刊更多论文

攻击结构问题：基于来源的入侵检测系统的因果关系保持度量

基于源的入侵检测系统（ids）通过分析源图来检测攻击并重构攻击场景。这些图由系统日志和安全传感器捕获的事件构造而成，对系统实体执行的操作之间的因果关系进行建模。在pid研究中，评估通常依赖于在图级别计算的精度和召回率等标准指标。为了评估重建攻击图的准确性，研究人员通常在节点级别使用代理度量，因为计算来源图之间的相似性仍然是一个开放的问题。在本文中，我们通过引入SDTED（结构和深度保持树编辑距离）来解决这个问题，SDTED是最近提出的广义Weisfeiler-Lehman图核的一种变体，用于捕获源图的独特属性。使用来自DARPA交战计划的攻击场景数据集，我们表明，在节点级度量产生次优结果的情况下，SDTED准确地测量了来源图之间的相似性。此外，SDTED能够检测来源图之间因果关系的变化，这是对PIDS提案进行稳健评估的基本属性。我们开源了SDTED的实现，以支持可重复性并鼓励在研究社区内采用。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.