As cyber-attacks become increasingly sophisticated and stealthy, it becomes more imperative and challenging to detect intrusion from normal behaviors. Through fine-grained causality analysis, provenance-based intrusion detection systems (PIDS) demonstrated a promising capacity to distinguish benign and malicious behaviors, attracting widespread attention from both industry and academia. Among diverse approaches, rule-based PIDS stands out due to its lightweight overhead, real-time capabilities, and explainability. However, existing rule-based systems suffer low detection accuracy, especially the high false alarms, due to the lack of fine-grained rules and environment-specific configurations. In this paper, we propose CAPTAIN, a rule-based PIDS capable of automatically adapting to diverse environments. Specifically, we propose three adaptive parameters to adjust the detection configuration with respect to nodes, edges, and alarm generation thresholds. We build a differentiable tag propagation framework and utilize the gradient descent algorithm to optimize these adaptive parameters based on the training data. We evaluate our system based on data from DARPA Engagement and simulated environments. The evaluation results demonstrate that CAPTAIN offers better detection accuracy, less detection latency, lower runtime overhead, and more interpretable detection alarms and knowledge compared to the SOTA PIDS.

翻译：随着网络攻击日益复杂化和隐蔽化，从正常行为中检测入侵变得愈发关键且富有挑战性。通过细粒度因果分析，基于溯源的入侵检测系统（PIDS）在区分良性行为和恶意行为方面展现出巨大潜力，引起了工业界和学术界的广泛关注。在众多方法中，基于规则的PIDS因其轻量级开销、实时性和可解释性而脱颖而出。然而，现有基于规则的系统由于缺乏细粒度的规则和特定环境的配置，检测准确率较低，尤其是误报率较高。本文提出CAPTAIN，一种能够自动适应多种环境的基于规则的PIDS。具体而言，我们提出了三个自适应参数，用于调整节点、边及报警生成阈值的检测配置。我们构建了一个可微的标签传播框架，并利用梯度下降算法基于训练数据优化这些自适应参数。我们基于DARPA Engagement项目数据和模拟环境数据对系统进行评估。评估结果表明，与最先进的PIDS相比，CAPTAIN提供了更高的检测准确率、更低的检测延迟、更小的运行时开销，以及更具可解释性的检测报警和知识。