Abstract
Malicious intrusion presents normalization and diversification in the current environment. Attackers often evade detection by changing the execution order of programs or adding many confusing operations. Aiming at the problem that the existing methods cannot accurately detect abnormal variant sequences, we propose PSSID, an intrusion detection method based on provenance sequence similarity. Firstly, the system data is transformed into a provenance graph, and each path in the provenance graph is regarded as a provenance sequence. Then the provenance sequence and the rule database sequence are compared to find the maximum common sequence length. Finally, according to the distribution of sequence lengths, obtain the two sequences' similarity value to judge whether it is abnormal.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
