Document Open Access Logo

Tidal: Tackling Concept Drift in Provenance-Based Advanced Persistent Threats Detection

Authors Yajie Zhou , Nengneng Yu , Tuo Zhao , Zaoxing Liu

PDF

File

Thumbnail PDF
PDF
OASIcs.NINeS.2026.1.pdf
  • Filesize: 4.89 MB
  • 28 pages

Document Identifiers

Subject Classification

ACM Subject Classification
  • Security and privacy
Keywords
  • Advanced Persistent Threat (APT)
  • Provenance-based Intrusion Detection (PIDS)
  • Concept Drift
  • Transfer Learning
  • Machine Learning for Security

Metrics

Abstract

Advanced Persistent Threats (APTs) pose significant challenges to cybersecurity due to their evolving nature and ability to evade detection. This paper introduces Tidal, a novel provenance-based intrusion detection system (PIDS) that is specifically designed to address concept drift in APT detection. Tidal designs a modified Transformer architecture tailored for transfer learning, including a Multi-head Transformer (MHT) with shared layers for learning common knowledge and task-specific head layers for learning unique patterns. The system uses a pre-training and fine-tuning workflow to achieve high post-drift adaptation and pre-drift retention accuracy. Additionally, Tidal customizes its data embedding for detection on flexible audit log lengths and computes entity relevance scores alongside classified attacks to aid in attack investigation. We evaluate Tidal by simulating concept drift scenarios with real-world datasets. Results demonstrate that compared to state-of-the-art detection systems, Tidal achieves an average of 27% higher recall and 31% higher precision with only half of new training data for post-drift adaptation accuracy.

Cite As Get BibTex

Yajie Zhou, Nengneng Yu, Tuo Zhao, and Zaoxing Liu. Tidal: Tackling Concept Drift in Provenance-Based Advanced Persistent Threats Detection. In 1st New Ideas in Networked Systems (NINeS 2026). Open Access Series in Informatics (OASIcs), Volume 139, pp. 1:1-1:28, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2026) https://doi.org/10.4230/OASIcs.NINeS.2026.1

Author Details

Yajie Zhou
  • University of Maryland, College Park, MD, USA
Nengneng Yu
  • University of Maryland, College Park, MD, USA
Tuo Zhao
  • Georgia Institute of Technology, Atlanta, GA, USA
Zaoxing Liu
  • University of Maryland, College Park, MD, USA

Acknowledgements

We thank all the anonymous reviewers for their constructive feedback and valuable suggestions, which greatly improved the quality of this paper. This work was supported in part by the U.S. NSF grants SaTC-2415754, CNS-2415758, and CNS-2431093. We extend our special thanks to our shepherd for the thoughtful guidance throughout the revision process. We are grateful to Chao Zhang, Simiao Zuo, Yue Yu for their early feedback, which helped shape the first idea of this work.

References

  1. Sihat Afnan, Mushtari Sadia, Shahrear Iqbal, and Anindya Iqbal. Logshield: A transformer-based apt detection system leveraging self-attention. arXiv preprint arXiv:2311.05733, 2023. URL: https://doi.org/10.48550/arXiv.2311.05733.
  2. Adil Ahmad, Sangho Lee, and Marcus Peinado. Hardlog: Practical tamper-proof system auditing using a novel audit device. In 2022 IEEE Symposium on Security and Privacy (SP), pages 1791-1807. IEEE, 2022. URL: https://doi.org/10.1109/SP46214.2022.9833745.
  3. Khandakar Ashrafi Akbar, Yigong Wang, Md Shihabul Islam, Anoop Singhal, Latifur Khan, and Bhavani Thuraisingham. Identifying tactics of advanced persistent threats with limited attack traces. In Information Systems Security: 17th International Conference, ICISS 2021, Patna, India, December 16-20, 2021, Proceedings 17, pages 3-25. Springer, 2021. URL: https://doi.org/10.1007/978-3-030-92571-0_1.
  4. Abdulellah Alsaheel, Yuhong Nan, Shiqing Ma, Le Yu, Gregory Walkup, Z Berkay Celik, Xiangyu Zhang, and Dongyan Xu. Atlas open-sourced code. https://github.com/purseclab/ATLAS .
  5. Abdulellah Alsaheel, Yuhong Nan, Shiqing Ma, Le Yu, Gregory Walkup, Z Berkay Celik, Xiangyu Zhang, and Dongyan Xu. ATLAS: A sequence-based learning approach for attack investigation. In 30th USENIX Security Symposium (USENIX Security 21), pages 3005-3022, 2021. URL: https://www.usenix.org/conference/usenixsecurity21/presentation/alsaheel.
  6. Adam Bates, Dave Jing Tian, Kevin RB Butler, and Thomas Moyer. Trustworthy Whole-System provenance for the linux kernel. In 24th USENIX Security Symposium (USENIX Security 15), pages 319-334, 2015. Google Scholar
  7. Adrien Bibal, Rémi Cardon, David Alfter, Rodrigo Wilkens, Xiaoou Wang, Thomas François, and Patrick Watrin. Is attention explanation? an introduction to the debate. In Proceedings of the 60th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), pages 3889-3900, 2022. URL: https://doi.org/10.18653/V1/2022.ACL-LONG.269.
  8. Zijun Cheng, Qiujian Lv, Jinyuan Liang, Yan Wang, Degang Sun, Thomas Pasquier, and Xueyuan Han. Kairos open-sourced code. URL: https://github.com/ProvenanceAnalytics/kairos/tree/main.
  9. Zijun Cheng, Qiujian Lv, Jinyuan Liang, Yan Wang, Degang Sun, Thomas Pasquier, and Xueyuan Han. Kairos: practical intrusion detection and investigation using whole-system provenance. In 2024 IEEE Symposium on Security and Privacy (SP), pages 3533-3551. IEEE, 2024. URL: https://doi.org/10.1109/SP54263.2024.00005.
  10. Kyunghyun Cho, Bart Van Merriënboer, Caglar Gulcehre, Dzmitry Bahdanau, Fethi Bougares, Holger Schwenk, and Yoshua Bengio. Learning phrase representations using rnn encoder-decoder for statistical machine translation. arXiv preprint arXiv:1406.1078, 2014. Google Scholar
  11. Kevin Clark, Urvashi Khandelwal, Omer Levy, and Christopher D Manning. What does bert look at? an analysis of bert’s attention. arXiv preprint arXiv:1906.04341, 2019. URL: https://arxiv.org/abs/1906.04341.
  12. DARPA transparent computing e3. URL: https://github.com/darpa-i2o/Transparent-Computing/blob/master/README-E3.md.
  13. DARPA transparent computing e5. URL: https://github.com/darpa-i2o/Transparent-Computing.
  14. Operationally transparent cyber (OpTC) data release. URL: https://github.com/FiveDirections/OpTC-data.
  15. DARPA transparent computing program. URL: https://www.darpa.mil/program/transparent-computing.
  16. Feng Dong, Liu Wang, Xu Nie, Fei Shao, Haoyu Wang, Ding Li, Xiapu Luo, and Xusheng Xiao. Distdet: A cost-effective distributed cyber threat detection system. USENIX Security Symposium, 2023. Google Scholar
  17. Min Du, Feifei Li, Guineng Zheng, and Vivek Srikumar. Deeplog: Anomaly detection and diagnosis from system logs through deep learning. In Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pages 1285-1298, 2017. URL: https://doi.org/10.1145/3133956.3134015.
  18. João Gama, Indrė Žliobaitė, Albert Bifet, Mykola Pechenizkiy, and Abdelhamid Bouchachia. A survey on concept drift adaptation. ACM computing surveys (CSUR), 46(4):1-37, 2014. URL: https://doi.org/10.1145/2523813.
  19. Akul Goyal, Xueyuan Han, Gang Wang, and Adam Bates. Sometimes, you aren’t what you do: Mimicry attacks against provenance graph host intrusion detection systems. In 30th Network and Distributed System Security Symposium, 2023. Google Scholar
  20. Haixuan Guo, Shuhan Yuan, and Xintao Wu. Logbert: Log anomaly detection via bert. In 2021 International Joint Conference on Neural Networks (IJCNN), pages 1-8. IEEE, 2021. URL: https://doi.org/10.1109/IJCNN52387.2021.9534113.
  21. Kai Han, Yunhe Wang, Hanting Chen, Xinghao Chen, Jianyuan Guo, Zhenhua Liu, Yehui Tang, An Xiao, Chunjing Xu, Yixing Xu, et al. A survey on vision transformer. IEEE transactions on pattern analysis and machine intelligence, 45(1):87-110, 2022. URL: https://doi.org/10.1109/TPAMI.2022.3152247.
  22. Xueyuan Han, James Mickens, Ashish Gehani, Margo Seltzer, and Thomas Pasquier. Xanthus: Push-button orchestration of host provenance data collection. In Proceedings of the 3rd International Workshop on Practical Reproducible Evaluation of Computer Systems, pages 27-32, 2020. URL: https://doi.org/10.1145/3391800.3398175.
  23. Xueyuan Han, Thomas Pasquier, Adam Bates, James Mickens, and Margo Seltzer. Unicorn: Runtime provenance-based detector for advanced persistent threats. arXiv preprint arXiv:2001.01525, 2020. URL: https://arxiv.org/abs/2001.01525.
  24. Xueyuan Han, Thomas Pasquier, Tanvi Ranjan, Mark Goldstein, and Margo Seltzer. FRAPpuccino: Fault-detection through runtime analysis of provenance. In 9th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud 17), 2017. Google Scholar
  25. Wajih Ul Hassan, Shengjian Guo, Ding Li, Zhengzhang Chen, Kangkook Jee, Zhichun Li, and Adam Bates. Nodoze: Combatting threat alert fatigue with automated provenance triage. In network and distributed systems security symposium, 2019. Google Scholar
  26. Md Nahid Hossain, Sanaz Sheikhi, and R Sekar. Combating dependence explosion in forensic analysis using alternative tag propagation semantics. In 2020 IEEE Symposium on Security and Privacy (SP), pages 1139-1155. IEEE, 2020. URL: https://doi.org/10.1109/SP40000.2020.00064.
  27. Muhammad Adil Inam, Yinfang Chen, Akul Goyal, Jason Liu, Jaron Mink, Noor Michael, Sneha Gaur, Adam Bates, and Wajih Ul Hassan. Sok: History is a vast early warning system: Auditing the provenance of system intrusions. In 2023 IEEE Symposium on Security and Privacy (SP), pages 2620-2638. IEEE, 2023. URL: https://doi.org/10.1109/SP46215.2023.10179405.
  28. Roberto Jordaney, Kumar Sharad, Santanu K Dash, Zhi Wang, Davide Papini, Ilia Nouretdinov, and Lorenzo Cavallaro. Transcend: Detecting concept drift in malware classification models. In 26th USENIX security symposium (USENIX security 17), pages 625-642, 2017. Google Scholar
  29. Ronald Kemker, Marc McClure, Angelina Abitino, Tyler Hayes, and Christopher Kanan. Measuring catastrophic forgetting in neural networks. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 32, 2018. Google Scholar
  30. Ansam Khraisat, Iqbal Gondal, Peter Vamplew, and Joarder Kamruzzaman. Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity, 2(1):1-22, 2019. Google Scholar
  31. Diego Klabjan and Xiaofeng Zhu. Neural network retraining for model serving. arXiv preprint arXiv:2004.14203, 2020. URL: https://arxiv.org/abs/2004.14203.
  32. Aapo Kyrola, Guy Blelloch, and Carlos Guestrin. Graphchi: Large-scale graph computation on just a PC. In Presented as part of the 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI 12), pages 31-46, 2012. URL: https://www.usenix.org/conference/osdi12/technical-sessions/presentation/kyrola.
  33. Shaofei Li, Feng Dong, Xusheng Xiao, Haoyu Wang, Fei Shao, Jiedong Chen, Yao Guo, Xiangqun Chen, and Ding Li. Nodlink: An online system for fine-grained apt attack detection and investigation. arXiv preprint arXiv:2311.02331, 2023. URL: https://doi.org/10.48550/arXiv.2311.02331.
  34. Fucheng Liu, Yu Wen, Dongxue Zhang, Xihe Jiang, Xinyu Xing, and Dan Meng. Log2vec: A heterogeneous graph embedding based approach for detecting cyber threats within enterprise. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 1777-1794, 2019. URL: https://doi.org/10.1145/3319535.3363224.
  35. Yushan Liu, Mu Zhang, Ding Li, Kangkook Jee, Zhichun Li, Zhenyu Wu, Junghwan Rhee, and Prateek Mittal. Towards a timely causality analysis for enterprise security. In NDSS, 2018. Google Scholar
  36. Jie Lu, Anjin Liu, Fan Dong, Feng Gu, Joao Gama, and Guangquan Zhang. Learning under concept drift: A review. IEEE transactions on knowledge and data engineering, 31(12):2346-2363, 2018. URL: https://doi.org/10.1109/TKDE.2018.2876857.
  37. Long Ma and Yanqing Zhang. Using word2vec to process big text data. In 2015 IEEE International Conference on Big Data (Big Data), pages 2895-2897. IEEE, 2015. URL: https://doi.org/10.1109/BIGDATA.2015.7364114.
  38. Shiqing Ma, Kyu Hyung Lee, Chung Hwan Kim, Junghwan Rhee, Xiangyu Zhang, and Dongyan Xu. Accurate, low cost and instrumentation-free security audit logging for windows. In Proceedings of the 31st Annual Computer Security Applications Conference, pages 401-410, 2015. URL: https://doi.org/10.1145/2818000.2818039.
  39. Shiqing Ma, Juan Zhai, Yonghwi Kwon, Kyu Hyung Lee, Xiangyu Zhang, Gabriela Ciocarlie, Ashish Gehani, Vinod Yegneswaran, Dongyan Xu, and Somesh Jha. Kernel-SupportedCost-Effective audit logging for causality tracking. In 2018 USENIX Annual Technical Conference (USENIX ATC 18), pages 241-254, 2018. URL: https://www.usenix.org/conference/atc18/presentation/ma-shiqing.
  40. Shiqing Ma, Xiangyu Zhang, and Dongyan Xu. Protracer: Towards practical provenance tracing by alternating between logging and tainting. In 23rd Annual Network And Distributed System Security Symposium (NDSS 2016). Internet Soc, 2016. Google Scholar
  41. Mandiant. How many alerts is too many to handle? https://services.google.com/fh/files/misc/apt42-crooked-charms-cons-and-compromises.pdf, 2022. Google Scholar
  42. Emaad Manzoor, Sadegh M Milajerdi, and Leman Akoglu. Fast memory-efficient anomaly detection in streaming heterogeneous graphs. In Proceedings of the 22nd ACM SIGKDD international conference on knowledge discovery and data mining, pages 1035-1044, 2016. URL: https://doi.org/10.1145/2939672.2939783.
  43. Weibin Meng, Ying Liu, Yichen Zhu, Shenglin Zhang, Dan Pei, Yuqing Liu, Yihao Chen, Ruizhi Zhang, Shimin Tao, Pei Sun, et al. Loganomaly: Unsupervised detection of sequential and quantitative anomalies in unstructured logs. In IJCAI, volume 19, pages 4739-4745, 2019. Google Scholar
  44. Kunal Mukherjee, Joshua Wiedemeier, Tianhao Wang, James Wei, Feng Chen, Muhyun Kim, Murat Kantarcioglu, and Kangkook Jee. Evading Provenance-BasedML detectors with adversarial system actions. In 32nd USENIX Security Symposium (USENIX Security 23), pages 1199-1216, 2023. URL: https://www.usenix.org/conference/usenixsecurity23/presentation/mukherjee.
  45. Annamalai Narayanan, Mahinthan Chandramohan, Rajasekar Venkatesan, Lihui Chen, Yang Liu, and Shantanu Jaiswal. graph2vec: Learning distributed representations of graphs. arXiv preprint arXiv:1707.05005, 2017. URL: https://arxiv.org/abs/1707.05005.
  46. Riccardo Paccagnella, Pubali Datta, Wajih Ul Hassan, Adam Bates, Christopher Fletcher, Andrew Miller, and Dave Tian. Custos: Practical tamper-evident auditing of operating systems using trusted execution. In Network and distributed system security symposium, 2020. Google Scholar
  47. Riccardo Paccagnella, Kevin Liao, Dave Tian, and Adam Bates. Logging to the danger zone: Race condition attacks and defenses on system audit frameworks. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 1551-1574, 2020. URL: https://doi.org/10.1145/3372297.3417862.
  48. Thomas Pasquier, Xueyuan Han, Mark Goldstein, Thomas Moyer, David Eyers, Margo Seltzer, and Jean Bacon. Practical whole-system provenance capture. In Proceedings of the 2017 Symposium on Cloud Computing, pages 405-418, 2017. URL: https://doi.org/10.1145/3127479.3129249.
  49. Mati Ur Rehman, Hadi Ahmadi, and Wajih Ul Hassan. Flash open-sourced code. URL: https://github.com/DART-Laboratory/Flash-IDS.
  50. Mati Ur Rehman, Hadi Ahmadi, and Wajih Ul Hassan. Flash: A comprehensive approach to intrusion detection via provenance graph representation learning. In 2024 IEEE Symposium on Security and Privacy (SP), pages 139-139. IEEE Computer Society, 2024. Google Scholar
  51. Xinying Song, Alex Salcianu, Yang Song, Dave Dopson, and Denny Zhou. Fast wordpiece tokenization. arXiv preprint arXiv:2012.15524, 2020. Google Scholar
  52. Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N Gomez, Łukasz Kaiser, and Illia Polosukhin. Attention is all you need. Advances in neural information processing systems, 30, 2017. Google Scholar
  53. Nan Wang, Xuezhi Wen, Dalin Zhang, Xibin Zhao, Jiahui Ma, Mengxia Luo, Sen Nie, Shi Wu, and Jiqiang Liu. Tbdetector: Transformer-based detector for advanced persistent threats with provenance graph. arXiv preprint arXiv:2304.02838, 2023. URL: https://doi.org/10.48550/arXiv.2304.02838.
  54. Pingfan Wang, Nanlin Jin, Duncan Davies, and Wai Lok Woo. Model-centric transfer learning framework for concept drift detection. Knowledge-Based Systems, 275:110705, 2023. URL: https://doi.org/10.1016/J.KNOSYS.2023.110705.
  55. Su Wang, Zhiliang Wang, Tao Zhou, Hongbin Sun, Xia Yin, Dongqi Han, Han Zhang, Xingang Shi, and Jiahai Yang. Threatrace: Detecting and tracing host-based threats in node level through provenance graph learning. IEEE Transactions on Information Forensics and Security, 17:3972-3987, 2022. URL: https://doi.org/10.1109/TIFS.2022.3208815.
  56. Zhiwei Wang, Zhengzhang Chen, Jingchao Ni, Hui Liu, Haifeng Chen, and Jiliang Tang. Multi-scale one-class recurrent neural networks for discrete event sequence anomaly detection. In Proceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery & Data Mining, pages 3726-3734, 2021. URL: https://doi.org/10.1145/3447548.3467125.
  57. Geoffrey I Webb, Roy Hyde, Hong Cao, Hai Long Nguyen, and Francois Petitjean. Characterizing concept drift. Data Mining and Knowledge Discovery, 30(4):964-994, 2016. URL: https://doi.org/10.1007/S10618-015-0448-4.
  58. Qingsong Wen, Tian Zhou, Chaoli Zhang, Weiqi Chen, Ziqing Ma, Junchi Yan, and Liang Sun. Transformers in time series: A survey. arXiv preprint arXiv:2202.07125, 2022. URL: https://arxiv.org/abs/2202.07125.
  59. Zhengxu Xia, Yajie Zhou, Francis Y Yan, and Junchen Jiang. Genet: Automatic curriculum generation for learning adaptation in networking. In Proceedings of the ACM SIGCOMM 2022 Conference, pages 397-413, 2022. URL: https://doi.org/10.1145/3544216.3544243.
  60. Peng Xu, Xiatian Zhu, and David A Clifton. Multimodal learning with transformers: A survey. IEEE Transactions on Pattern Analysis and Machine Intelligence, 45(10):12113-12132, 2023. URL: https://doi.org/10.1109/TPAMI.2023.3275156.
  61. Francis Y Yan, Hudson Ayers, Chenzhi Zhu, Sadjad Fouladi, James Hong, Keyi Zhang, Philip Levis, and Keith Winstein. Learning in situ: a randomized experiment in video streaming. In 17th USENIX Symposium on Networked Systems Design and Implementation (NSDI 20), pages 495-511, 2020. Google Scholar
  62. Francis Y Yan, Jestin Ma, Greg D Hill, Deepti Raghavan, Riad S Wahby, Philip Levis, and Keith Winstein. Pantheon: the training ground for internet congestion-control research. In 2018 USENIX Annual Technical Conference (USENIX ATC 18), pages 731-743, 2018. Google Scholar
  63. Fan Yang, Jiacen Xu, Chunlin Xiong, Zhou Li, and Kehuan Zhang. PROGRAPHER: An anomaly detection system based on provenance graph embedding. In 32nd USENIX Security Symposium (USENIX Security 23), pages 4355-4372, 2023. URL: https://www.usenix.org/conference/usenixsecurity23/presentation/yang-fan.
  64. Jun Zengy, Xiang Wang, Jiahao Liu, Yinfang Chen, Zhenkai Liang, Tat-Seng Chua, and Zheng Leong Chua. Shadewatcher: Recommendation-guided cyber threat analysis using system audit records. In 2022 IEEE Symposium on Security and Privacy (SP), pages 489-506. IEEE, 2022. URL: https://doi.org/10.1109/SP46214.2022.9833669.
Any Issues?
X

Feedback on the Current Page

CAPTCHA

Thanks for your feedback!

Feedback submitted to Dagstuhl Publishing

Could not send message

Please try again later or send an E-mail
© 2023-2025 Schloss Dagstuhl – LZI GmbH About DROPS Imprint Privacy Contact