Efficient intrusion detection and analysis of the security landscape in big data environments present challenge for today's users. Intrusion behavior can be described by provenance graphs that record the dependency relationships between intrusion processes and the infected files. Existing intrusion detection methods typically analyze and identify the anomaly either in a single provenance path or the whole provenance graph, neither of which can achieve the benefit on both detection accuracy and detection time. We propose Pagoda, a hybrid approach that takes into account the anomaly degree of both a single provenance path and the whole provenance graph. It can identify intrusion quickly if a serious compromise has been found on one path, and can further improve the detection rate by considering the behavior representation in the whole provenance graph. Pagoda uses a persistent memory database to store provenance and aggregates multiple similar items into one provenance record to maximumly reduce unnecessary I/O during the detection analysis. In addition, it encodes duplicate items in the rule database and filters noise that does not contain intrusion information. The experimental results on a wide variety of real-world applications demonstrate its performance and efficiency.

中文翻译：

---

Pagoda：一种在大数据环境中实现高效的基于实时来源的入侵检测的混合方法

对大数据环境中的安全环境进行有效的入侵检测和分析对当今的用户提出了挑战。入侵行为可以通过记录入侵进程与受感染文件之间的依赖关系的起源图来描述。现有的入侵检测方法通常在单个来源路径或整个来源图中分析和识别异常，这两种方法都不能同时提高检测精度和检测时间。我们提出了 Pagoda，这是一种混合方法，它同时考虑了单个来源路径和整个来源图的异常程度。如果在一条路径上发现严重的入侵，它可以快速识别入侵，并且可以通过考虑整个起源图中的行为表示来进一步提高检测率。Pagoda 使用持久内存数据库来存储出处，并将多个相似项聚合到一个出处记录中，以最大限度地减少检测分析过程中不必要的 I/O。此外，它还对规则数据库中的重复项进行编码并过滤不包含入侵信息的噪声。在各种实际应用中的实验结果证明了其性能和效率。它对规则数据库中的重复项进行编码并过滤不包含入侵信息的噪声。在各种实际应用中的实验结果证明了其性能和效率。它对规则数据库中的重复项进行编码并过滤不包含入侵信息的噪声。在各种实际应用中的实验结果证明了其性能和效率。