Motivation and Challenges

Advanced attacks such as APTs plague even the most protected companies with significant financial loses. To counter these attacks, approaches based on ubiquitous system monitoring have emerged as an important solution for actively searching for possible anomalies, then to quickly triage the possible significant risky events. System monitoring observes system calls at the kernel level to collect information about system activities. The collected data from system monitoring facilitates the detection of abnormal system behaviors.

To support the detection of multiple types of anomalies using system monitoring data, three challenges need to be addressed:

• • Fighting these attacks is a time-critical mission. As such, we need a real-time anomaly detection tool to search for a "needle in a haystack" for preventing additional damage and for system recovery.

• Models derived from data have been increasingly used in detecting various types of risky events. A key problem is how we can provide a real-time tool to detect anomalies while incorporating the expert knowledge.

• System monitoring produces a huge amount of daily logs. This requires efficient real-time data analytics on large-scale provenance data.