Provenance Graphing for Adversarial Modeling and Detection

Summary

Endpoint, network, and extended detection and response systems examine system events and trigger alerts as unexpected behaviors are observed. State-of-the-art systems employ customizable rule sets that look for behaviors described in well-established attack taxonomies like the MITRE ATT&CK framework, but don't always examine the surrounding context of events enough to differentiate between explainable events (noise) and adversarial actions. Provenance graphing provides an approach to organizing system events in causal and temporal chains which can facilitate analysis and enable more effective forensic investigation. Provenance graphing can be combined with machine learning to improve adversarial detection, especially in complex multi-stage or multi-node attack campaigns.