English

Resource-Interaction Graph: Efficient Graph Representation for Anomaly Detection

Cryptography and Security 2022-12-19 v1 Systems and Control Systems and Control

Abstract

Security research has concentrated on converting operating system audit logs into suitable graphs, such as provenance graphs, for analysis. However, provenance graphs can grow very large requiring significant computational resources beyond what is necessary for many security tasks and are not feasible for resource constrained environments, such as edge devices. To address this problem, we present the \textit{resource-interaction graph} that is built directly from the audit log. We show that the resource-interaction graph's storage requirements are significantly lower than provenance graphs using an open-source data set with two container escape attacks captured from an edge device. We use a graph autoencoder and graph clustering technique to evaluate the representation for an anomaly detection task. Both approaches are unsupervised and are thus suitable for detecting zero-day attacks. The approaches can achieve f1 scores typically over 80\% and in some cases over 90\% for the selected data set and attacks.

Keywords

Cite

@article{arxiv.2212.08525,
  title  = {Resource-Interaction Graph: Efficient Graph Representation for Anomaly Detection},
  author = {James Pope and Jinyuan Liang and Vijay Kumar and Francesco Raimondo and Xinyi Sun and Ryan McConville and Thomas Pasquier and Rob Piechocki and George Oikonomou and Bo Luo and Dan Howarth and Ioannis Mavromatis and Adrian Sanchez Mompo and Pietro Carnelli and Theodoros Spyridopoulos and Aftab Khan},
  journal= {arXiv preprint arXiv:2212.08525},
  year   = {2022}
}

Comments

15 pages, 11 figures, 6 tables, for dataset see https://github.com/jpope8/container-escape-dataset, for code see https://github.com/jpope8/container-escape-analysis

R2 v1 2026-06-28T07:39:06.878Z