UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats

Xueyuan Han, Thomas Pasquier, Adam Bates, James Mickens, and Margo Seltzer.
27th ISOC Network and Distributed System Security Symposium (NDSS'20).
San Diego, CA, USA. February 23, 2020.
(acceptance rate=17.4%)
Available Media


Advanced Persistent Threats (APTs) are difficult to detect due to their “low-and-slow” attack patterns and frequent use of zero-day exploits. We present UNICORN, an anomaly-based APT detector that effectively leverages data provenance analysis. From modeling to detection, UNICORN tailors its design specifically for the unique characteristics of APTs. Through extensive yet time-efficient graph analysis, UNICORN explores provenance graphs that provide rich contextual and historical information to identify stealthy anomalous activities without pre-defined attack signatures. Using a graph sketching technique, it summarizes long-running system execution with space efficiency to combat slow-acting attacks that take place over a long time span. UNICORN further improves its detection capability using a novel modeling approach to understand long-term behavior as the system evolves. Our evaluation shows that UNICORN outperforms an existing state-of-the-art APT detection system and detects real- life APT scenarios with high accuracy.