Building a provenance-based IDS and the questions we ask ourselves


Provenance is the representation of a system execution as a directed acyclic graph. Whole-system provenance graph, representing the execution of an entire system from initialization to shut down, can be comprised of millions of graph elements. It is believed that the use of such graphs can help build better intrusion detection systems. We have attempted to build full stack intrusion detection systems from kernel capture up to the data analysis. In the spirit of a constructive workshop, in this talk, I will present those attempts discussing our design decisions and the questions that we need to answer.

Nov 11, 2019 9:45 AM
The Alan Turing Institute, London
Thomas Pasquier
Thomas Pasquier
Assistant Professor

My research interests include provenance, operating systems, distributed systems and intrusion detection.