Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

EagleEye: Attention to Unveil Malicious Event Sequences from Provenance Graphs

Philipp Gysel, Candid Wüest, Kenneth Nwafor, Otakar Jašek, Andrey Ustyuzhanin, Dinil Mon Divakaran

TL;DR

EagleEye tackles scalable, interpretable malware detection on endpoints by modeling long attacker behavior sequences in provenance graphs. It combines graph enrichment with security features and command-line embeddings, processing data into 200-event windows fed to a lightweight encoder-only Transformer. The approach yields state-of-the-art detection on REE-2023 and DARPA-5D, with AUCs around $99.5$-$99.7\%$ and low false-positive rates, while providing attention-based explanations of suspicious events. The work emphasizes practical deployment with modest resource needs and contributes code and a new malware dataset for the community.

Abstract

Securing endpoints is challenging due to the evolving nature of threats and attacks. With endpoint logging systems becoming mature, provenance-graph representations enable the creation of sophisticated behavior rules. However, adapting to the pace of emerging attacks is not scalable with rules. This led to the development of ML models capable of learning from endpoint logs. However, there are still open challenges: i) malicious patterns of malware are spread across long sequences of events, and ii) ML classification results are not interpretable. To address these issues, we develop and present EagleEye, a novel system that i) uses rich features from provenance graphs for behavior event representation, including command-line embeddings, ii) extracts long sequences of events and learns event embeddings, and iii) trains a lightweight Transformer model to classify behavior sequences as malicious or not. We evaluate and compare EagleEye against state-of-the-art baselines on two datasets, namely a new real-world dataset from a corporate environment, and the public DARPA dataset. On the DARPA dataset, at a false-positive rate of 1%, EagleEye detects $\approx$89% of all malicious behavior, outperforming two state-of-the-art solutions by an absolute margin of 38.5%. Furthermore, we show that the Transformer's attention mechanism can be leveraged to highlight the most suspicious events in a long sequence, thereby providing interpretation of malware alerts.

EagleEye: Attention to Unveil Malicious Event Sequences from Provenance Graphs

TL;DR

EagleEye tackles scalable, interpretable malware detection on endpoints by modeling long attacker behavior sequences in provenance graphs. It combines graph enrichment with security features and command-line embeddings, processing data into 200-event windows fed to a lightweight encoder-only Transformer. The approach yields state-of-the-art detection on REE-2023 and DARPA-5D, with AUCs around - and low false-positive rates, while providing attention-based explanations of suspicious events. The work emphasizes practical deployment with modest resource needs and contributes code and a new malware dataset for the community.

Abstract

Securing endpoints is challenging due to the evolving nature of threats and attacks. With endpoint logging systems becoming mature, provenance-graph representations enable the creation of sophisticated behavior rules. However, adapting to the pace of emerging attacks is not scalable with rules. This led to the development of ML models capable of learning from endpoint logs. However, there are still open challenges: i) malicious patterns of malware are spread across long sequences of events, and ii) ML classification results are not interpretable. To address these issues, we develop and present EagleEye, a novel system that i) uses rich features from provenance graphs for behavior event representation, including command-line embeddings, ii) extracts long sequences of events and learns event embeddings, and iii) trains a lightweight Transformer model to classify behavior sequences as malicious or not. We evaluate and compare EagleEye against state-of-the-art baselines on two datasets, namely a new real-world dataset from a corporate environment, and the public DARPA dataset. On the DARPA dataset, at a false-positive rate of 1%, EagleEye detects 89% of all malicious behavior, outperforming two state-of-the-art solutions by an absolute margin of 38.5%. Furthermore, we show that the Transformer's attention mechanism can be leveraged to highlight the most suspicious events in a long sequence, thereby providing interpretation of malware alerts.
Paper Structure (35 sections, 13 figures, 10 tables)

This paper contains 35 sections, 13 figures, 10 tables.

Table of Contents

  1. Introduction
  2. Importance of feature-rich provenance graphs
  3. Threat model
  4. EagleEye: Architecture and model
  5. Transformer for learning behavior events
  6. Embedding behavior events
  7. Transformer architecture
  8. EagleEye: Behavior modeling
  9. Overview of data processing pipeline
  10. Convert a system log to provenance graphs
  11. Graph enrichment with security features
  12. Command-line embedding
  13. Convert graphs into windows
  14. Implementation of EagleEye
  15. Performance evaluation
  16. ...and 20 more sections

Figures (13)

  • Figure 1: Provenance graph of Raccoon Infostealer malware
  • Figure 2: Provenance graph of a Chrome instance
  • Figure 3: System architecture of EagleEye
  • Figure 4: Token embedding: NLP tasks vs. EagleEye
  • Figure 5: Transformer architecture of EagleEye
  • ...and 8 more figures