A Conceptual Framework for Automated Rule Generation in Provenance-based Intrusion Detection Systems

Traditional Intrusion Detection Systems (IDS) are struggling to keep up with the increase in sophisticated cyber-attacks such as Advanced Persistent Threats (APT) over the past years. Provenance-based Intrusion Detection Systems (PIDS) utilize data provenance concepts to enable fine-grained event correlation, and the results show increased detection accuracy and reduced false-alarm rates compared to traditional IDS. Especially, rule-based approaches for the PIDS have demonstrated high detection accuracy, low false alarm, and fast detection time. However, rules are manually created by security experts, which is time-consuming and doesn't ensure high-quality rule standards. To address this issue, we propose an automated rule generation framework to generate robust rules to describe malicious files automatically. As a result, high-quality rules can be used in PIDS to identify similar attacks and other affected systems promptly.