English

ANUBIS: A Provenance Graph-Based Framework for Advanced Persistent Threat Detection

Cryptography and Security 2021-12-22 v1 Machine Learning

Abstract

We present ANUBIS, a highly effective machine learning-based APT detection system. Our design philosophy for ANUBIS involves two principal components. Firstly, we intend ANUBIS to be effectively utilized by cyber-response teams. Therefore, prediction explainability is one of the main focuses of ANUBIS design. Secondly, ANUBIS uses system provenance graphs to capture causality and thereby achieve high detection performance. At the core of the predictive capability of ANUBIS, there is a Bayesian Neural Network that can tell how confident it is in its predictions. We evaluate ANUBIS against a recent APT dataset (DARPA OpTC) and show that ANUBIS can detect malicious activity akin to APT campaigns with high accuracy. Moreover, ANUBIS learns about high-level patterns that allow it to explain its predictions to threat analysts. The high predictive performance with explainable attack story reconstruction makes ANUBIS an effective tool to use for enterprise cyber defense.

Keywords

Cite

@article{arxiv.2112.11032,
  title  = {ANUBIS: A Provenance Graph-Based Framework for Advanced Persistent Threat Detection},
  author = {Md. Monowar Anjum and Shahrear Iqbal and Benoit Hamelin},
  journal= {arXiv preprint arXiv:2112.11032},
  year   = {2021}
}

Comments

Accepted for publication in the 37th ACM SIGAPP Symposium on Applied Computing (SAC 2022)

R2 v1 2026-06-24T08:25:47.208Z