Building a provenance-based IDS and the questions we ask ourselves

Abstract

Provenance is the representation of a system execution as a directed acyclic graph. Whole-system provenance graph, representing the execution of an entire system from initialization to shut down, can be comprised of millions of graph elements. It is believed that the use of such graphs can help build better intrusion detection systems. We have attempted to build full stack intrusion detection systems from kernel capture up to the data analysis. In the spirit of a constructive workshop, in this talk, I will present those attempts discussing our design decisions and the questions that we need to answer.