Advanced persistent threats (APTs) are stealthy, sophisticated, and unpredictable cyberattacks that can steal intellectual property, damage critical infrastructure, or cause millions of dollars in damage. Detecting APTs by monitoring system-level activity is difficult because manually inspecting the high volume of normal system activity is overwhelming for security analysts. We evaluate the effectiveness of unsupervised batch and streaming anomaly detection algorithms over multiple gigabytes of provenance traces recorded on four different operating systems to determine whether they can detect realistic APT-like attacks reliably and efficiently. This article is the first detailed study of the effectiveness of generic unsupervised anomaly detection techniques in this setting.

高级持续威胁（APT）是隐蔽，复杂且不可预测的网络攻击，可以窃取知识产权，破坏关键基础设施或造成数百万美元的损失。通过监视系统级别的活动来检测APT是困难的，因为对于安全分析人员来说，手动检查大量正常的系统活动非常困难。我们评估了在四种不同操作系统上记录的多个千兆字节的出处迹线的无监督批处理和流异常检测算法的有效性，以确定它们是否可以可靠，有效地检测出类似APT的实际攻击。本文是对这种情况下通用无监督异常检测技术的有效性的首次详细研究。