Resource-Interaction Graph: Efficient Graph Representation for Anomaly Detection
Abstract
Security research has concentrated on converting operating system audit logs into suitable graphs, such as provenance graphs, for analysis. However, provenance graphs can grow very large requiring significant computational resources beyond what is necessary for many security tasks and are not feasible for resource constrained environments, such as edge devices. To address this problem, we present the \textit{resource-interaction graph} that is built directly from the audit log. We show that the resource-interaction graph's storage requirements are significantly lower than provenance graphs using an open-source data set with two container escape attacks captured from an edge device. We use a graph autoencoder and graph clustering technique to evaluate the representation for an anomaly detection task. Both approaches are unsupervised and are thus suitable for detecting zero-day attacks. The approaches can achieve f1 scores typically over 80\% and in some cases over 90\% for the selected data set and attacks.
Cite
@article{arxiv.2212.08525,
title = {Resource-Interaction Graph: Efficient Graph Representation for Anomaly Detection},
author = {James Pope and Jinyuan Liang and Vijay Kumar and Francesco Raimondo and Xinyi Sun and Ryan McConville and Thomas Pasquier and Rob Piechocki and George Oikonomou and Bo Luo and Dan Howarth and Ioannis Mavromatis and Adrian Sanchez Mompo and Pietro Carnelli and Theodoros Spyridopoulos and Aftab Khan},
journal= {arXiv preprint arXiv:2212.08525},
year = {2022}
}
Comments
15 pages, 11 figures, 6 tables, for dataset see https://github.com/jpope8/container-escape-dataset, for code see https://github.com/jpope8/container-escape-analysis