ORTHRUS: Achieving High Quality of Attribution in Provenance-based Intrusion Detection Systems
Baoxiang Jiang
34th USENIX Security Symposium (USENIX Security '25) · Day 3 · Network Security 4: Internet and Beyond
In an era of escalating cyber threats, **system provenance** has emerged as a critical technique for advanced intrusion detection. This talk, presented by Baoxiang Jiang from Shan University, introduces ORTHRUS, a novel system designed to significantly enhance the attribution quality of provenance-based intrusion detection systems (PIDS). While PIDS are adept at recording intricate system interactions—representing them as dynamic provenance graphs to identify anomalous behaviors indicative of attacks—current anomaly-based PIDS often fall short in providing precise, actionable intelligence.
AI review
Legitimate academic research on a real problem — attribution quality and false positive rates in provenance-based IDS are genuine pain points that make graph-based detection systems hard to operationalize. The technical contributions (attention-based GNN encoder-decoder, C-means clustering for anomaly refinement, proper ground truth curation) are coherent and address a real methodological flaw in how prior PIDS work gets evaluated. Not groundbreaking, but honest work.