Slide 1: Title Slide (1 minute)

"Good [morning/afternoon], everyone. Thank you for joining me today.

I’m here to present UNICORN: Runtime Provenance-Based Detector for Advanced

Persistent Threats, a novel system that tackles one of the most challenging cyber threats of our
time.

This work was conducted by researchers Xueyuan Han, Thomas Pasquier, Adam Bates, James
Mickens, and Margo Seltzer and was presented at the NDSS 2020 conference. In this
presentation, I will walk you through the challenges posed by Advanced Persistent Threats—or
APTs—and explain how UNICORN leverages innovative techniques to detect and counter these
attacks effectively."

Slide 2: Introduction to APTs (4 minutes)

"Let’s begin by understanding what Advanced Persistent Threats, or APTs, are.

APTs are stealthy, long-term cyberattacks often carried out by highly skilled groups, including
nation-state actors. These groups target critical infrastructures, organizations, or governments,
aiming to steal data, perform espionage, or disrupt operations.

What sets APTs apart from traditional attacks is their 'low-and-slow' approach. Instead of
acting quickly and noticeably, they operate over weeks, months, or even years, making minimal
changes to avoid detection. Additionally, they often exploit zero-day vulnerabilities—unknown
security aws—making them nearly impossible to stop with signature-based systems.

Traditional detection systems face several challenges:

1. Signature-based methods: These rely on known attack patterns, so they can’t detect
zero-day exploits or new types of attacks.
2. Short-term anomaly detection systems: These tools analyze short bursts of system
activity and are ineffective at identifying the prolonged, subtle behavior of APTs.
This brings us to UNICORN, which uses a groundbreaking approach called provenance-based
anomaly detection. By analyzing the entire historical context of a system’s activities,
UNICORN can uncover subtle anomalies that indicate an APT, even in its early stages."

Slide 3: Problem Statement (3 minutes)

"Now let’s dive deeper into the problem.

The primary challenge in detecting APTs lies in their stealth and prolonged nature. These attacks
operate in such a way that they blend into the normal behavior of a system.
fl
 There are three main challenges:

1. Signature-based systems are blind to zero-day exploits because these attacks leave no
prede ned patterns to match against.
2. Short-term anomaly detectors only analyze brief windows of system behavior and miss
the slow, evolving patterns of APTs.
3. APTs often mimic normal system operations, making them dif cult to distinguish from
legitimate activity.
Conventional systems, therefore, struggle to identify these long-term, subtle attack patterns. The
objective of UNICORN is to overcome these limitations by focusing on whole-system, long-term
behavior analysis."

Slide 4: Importance (4 minutes)

"Let’s talk about why detecting APTs is so critical.

APTs often target high-value assets, such as government networks, nancial institutions, and
healthcare systems. Their potential for harm is enormous:

• Financial loss: Organizations lose millions through stolen data or disrupted operations.
• Operational impact: APTs can cause downtime for critical services.
• Reputational damage: Once a breach is revealed, trust in an organization or even a
nation is compromised.
Some well-known examples include:

• Stuxnet, which targeted Iran’s nuclear facilities and caused signi cant physical damage.
• GhostNet, which affected over 100 countries by stealing sensitive information through
phishing campaigns.
• Deep Panda, a group that breached U.S. government systems, exposing personal
information of millions of federal employees.
Detecting APTs isn’t just about security—it’s about protecting infrastructure, economies, and
national interests. This underscores the importance of systems like UNICORN."

Slide 5: Major Contributions (3-4 minutes)

"Let’s now explore the major contributions of UNICORN. These innovations make it a
signi cant advancement in the ght against APTs.

The rst major contribution is provenance-based detection. Provenance refers to the history of
system activities, tracking actions such as which les were accessed, which processes were
started, and how data owed between different components of the system. By analyzing this
data, UNICORN can build a detailed timeline of system behavior and detect anomalies that
occur over a long period, which is critical for identifying stealthy APTs.

Second, UNICORN introduces real-time detection using whole-system provenance. Unlike

previous systems that focus on static snapshots of data or events, UNICORN analyzes a live,
fi
fi
fi
fl
fi
fi
fi
fi
fi
 streaming ow of system activity. This allows it to detect APTs as they unfold, rather than after
the fact. This real-time detection is crucial in environments where timely responses are necessary
to mitigate the damage caused by an APT.

Third, time-weighted provenance encoding is another key innovation. In simple terms, this
technique compresses historical data into a compact representation, which retains the essential
patterns but doesn’t require immense computational resources to store and process. This means
UNICORN can ef ciently track system behavior over long periods without being overwhelmed
by data volume. It allows for ef cient anomaly detection even when analyzing years of system
behavior.

Together, these contributions make UNICORN not just a detection system, but a solution that can
provide ongoing, real-time insights into system behavior, increasing the chances of detecting
advanced, long-running threats like APTs."

Slide 6: Advancing the State of the Art (3-4 minutes)

"Let’s talk about how UNICORN advances the state of the art in intrusion detection.

First, existing rule-based systems are often unable to handle new or emerging threats, especially
zero-day exploits. Rule-based systems require prede ned rules or signatures, which means they
are only effective against known attack patterns. However, APTs often exploit vulnerabilities that
have never been seen before, so rule-based systems can’t detect them. UNICORN’s approach
eliminates this problem by using anomaly detection rather than relying on prede ned attack
signatures. By analyzing the entire system’s behavior over time, UNICORN can identify novel
attack patterns, even if they’ve never been encountered before.

Next, let’s look at single-hop graph exploration. In many traditional graph-based systems, the
analysis is limited to a small part of the data or only looks at immediate neighbors in a graph.
This makes it hard to detect more sophisticated attacks that span multiple system components or
involve subtle changes over time. UNICORN overcomes this limitation by using multi-hop
graph exploration, where it looks at a broader context of system behavior. This allows it to
detect patterns that might have been missed with single-hop approaches.

Finally, existing snapshot-based models typically analyze system activity at a single point in
time and can’t handle the long-term nature of APTs. As we’ve discussed, APTs are slow, stealthy,
and often evolve over time, which is why snapshot-based approaches are inadequate. UNICORN
uses evolutionary modeling to adapt to ongoing changes in system behavior over time, creating
a much more exible system that can handle the dynamic nature of APTs.

With these innovations, UNICORN is far more capable of identifying attacks that occur
gradually, over long periods, without being in uenced by momentary spikes in activity.”

Advanced Persistent Threats operate in multiple phases

fl
fl
fi
fi
fl
fi
fi
 Slide 7: Main Methods Overview + Flowchart (5 minutes)

"Let’s take a closer look at how UNICORN works in practice. This owchart gives a high-level
overview of the process.

1. Input – Provenance Graphs: UNICORN starts by gathering labeled, streaming

provenance graphs. These graphs capture all the activities within the system, such as le
accesses, process creation, and communications between processes. These graphs provide
a detailed view of how system entities interact over time.

◦ The beauty of this approach is that provenance graphs allow UNICORN to track
long-term interactions and causal relationships between system entities, even if
these interactions occur over long periods. This is essential for detecting low-and-
slow attacks, like APTs, which are stealthy and gradual.
2. Graph Histogram: The next step is to convert this data into a graph histogram. The
system summarizes these interactions, capturing the most relevant features of the graph
without overwhelming the system with excessive details. This histogram is a more
ef cient representation of the graph and enables UNICORN to handle large volumes of
data in real-time.

◦ It captures how often speci c interactions occur over time, giving the system an
overview of system behavior. For example, it might track how frequently a le is
accessed, or how often a process is spawned by another process.
3. Graph Sketching: After this, UNICORN uses HistoSketch, a technique for graph
sketching, to compress these histograms into xed-size representations. What this means
is that, instead of storing the entire graph, UNICORN uses a compact summary that still
preserves the key features of the data, like Jaccard similarity, which helps compare the
data ef ciently.

◦ This step is critical because it allows UNICORN to detect anomalies in real-time,

without being bogged down by the computational costs of processing massive
graphs. By creating these smaller sketches, UNICORN can analyze a system’s
entire history of activity, no matter how large, in an ef cient manner.
4. Clustering and Anomaly Detection: The nal step in the process is clustering.
UNICORN groups these sketches into clusters that represent normal system behavior.
Then, whenever new data comes in, the system compares it to the learned clusters. If the
new data signi cantly deviates from the established clusters, it is agged as an anomaly.

◦ This anomaly detection is the heart of the system’s ability to identify APTs. Since
APTs involve activities that deviate from normal system operations but do so over
long periods, this approach helps catch those deviations early—before they cause
major damage.
This owchart encapsulates the key stages in UNICORN’s methodology, transforming complex,
real-time system data into actionable insights that can detect even the most subtle and prolonged
attacks."
fi
fl
fi
fi
fi
fi
fi
fi
fl
fl
fi
fi
 Slide 8: Provenance Graphs (3–4 minutes)

"Let’s take a closer look at provenance graphs, which form the backbone of UNICORN’s
detection system.

A provenance graph is a representation of all system activities and their relationships over time.
In this graph:

• Nodes represent entities such as les, processes, or users.

• Edges represent interactions or information ow, such as a le being read, a process
being created, or a user accessing data.
The unique advantage of provenance graphs lies in their ability to track causal relationships
between these entities. This means that even if two actions are separated by time, the graph can
connect them through their dependencies, revealing long-term patterns of system behavior.

For example, consider an attacker who gains access to a system, downloads malicious les, and
later modi es a critical con guration le. Individually, these actions might seem harmless, but a
provenance graph can trace the connections between them, agging the sequence as suspicious.

By analyzing the entire historical context of a system’s actions, provenance graphs allow
UNICORN to detect stealthy, low-and-slow attacks that would otherwise go unnoticed."

Slide 9: Graph Sketching (3–4 minutes)

"Provenance graphs, while powerful, can grow to massive sizes, especially in long-running
systems with billions of interactions. Analyzing such large graphs in real-time poses a signi cant
computational challenge.

This is where graph sketching comes into play. UNICORN uses a technique called HistoSketch
to compress large provenance graphs into xed-size representations, or 'sketches.' These sketches
summarize the essential features of the graph while discarding redundant information.

Here’s how it works:

• Jaccard Similarity: HistoSketch uses this mathematical approach to measure the overlap
between different parts of the graph.
• Fixed-Size Summaries: The result is a compact, xed-size sketch that retains key
information about the graph’s structure and behavior.
The trade-off is elegant: by sacri cing a small amount of detail, UNICORN achieves signi cant
gains in computational ef ciency. This enables the system to analyze data streams in real-time
without requiring excessive memory or processing power.

For example, instead of comparing every detail in a massive graph, UNICORN can compare the
compressed sketches to quickly identify anomalies. This balance between ef ciency and
accuracy is crucial for detecting APTs in real-world systems."
fi
fi
fi
fi
fi
fi
fi
fl
fi
fi
fl
fi
fi
fi
fi
 Slide 10: Implementation (3–4 minutes)

"Let’s now discuss how UNICORN was implemented to handle the complexities of real-world
systems.

The architecture of UNICORN combines several technologies for scalability and ef ciency:

1. GraphChi: At its core, UNICORN uses GraphChi, a graph processing engine designed
for handling large-scale graphs.
◦ GraphChi splits the graph into manageable pieces, called shards, and processes
them ef ciently. This eliminates the need to load the entire graph into memory,
making it ideal for systems with limited resources.
◦ For example, even with billions of interactions in a system, GraphChi ensures that
UNICORN operates smoothly without performance bottlenecks.
2. Python: Other components, such as data parsing and modeling, were implemented in
Python. This provides exibility for rapid development and integration with other tools.
3. Vertex-Centric Processing: UNICORN processes the graph node by node, rather than
analyzing the entire graph at once.
◦ This approach minimizes memory usage and enables real-time anomaly detection
by focusing only on the relevant portions of the graph.
By combining these elements, UNICORN can process and analyze massive datasets ef ciently.
This scalability is critical for detecting APTs in modern, high-volume environments, where
systems generate billions of events every day."

Slide 11: Results – StreamSpot Dataset

"Let’s now discuss the results, starting with the StreamSpot dataset, which is used as a baseline
for comparison.

• Context: This dataset includes information ow graphs from benign activities, like web
browsing, and simulated attack scenarios.
• Performance: UNICORN achieved a 24% improvement in precision and a 30%
increase in recall compared to the StreamSpot system.
• Key Insight: UNICORN’s ability to analyze larger graph neighborhoods signi cantly
reduced false positives and improved detection accuracy.
This demonstrates UNICORN’s strength in environments where stealthy attacks might otherwise
blend into benign activities."

Slide 12: Results – DARPA TC Dataset

"Next is the DARPA Transparent Computing dataset, which includes real-world APT
scenarios.

• Performance: UNICORN achieved a 99% detection accuracy across various systems

and platforms, including FreeBSD and Linux.
fi
fl
fl
fi
fi
fi
 • Flexibility: It adapted to different provenance capture systems like CADETS and
THEIA, showcasing its versatility.
• Key Insight: Even when attacks made up less than 0.001% of the total system activity,
UNICORN successfully detected anomalies without prior attack knowledge.
This result highlights UNICORN’s exceptional ability to operate in diverse and high-volume data
environments."

Slide 13: Results – Simulated SC Dataset

"Finally, let’s look at the Simulated Supply Chain dataset, which mimics APTs targeting
software delivery pipelines.

• Scenario: These attacks followed typical APT phases, such as reconnaissance,

exploitation, and command and control.
• Performance: UNICORN identi ed the attacks early in their lifecycle, with an 85%
precision and 96% recall in one scenario, and comparable results in another.
• Key Insight: By detecting anomalies during the delivery phase, UNICORN prevented
these attacks from escalating further.
This demonstrates UNICORN’s potential to detect early-stage APTs, especially in critical
systems like software supply chains."

Slide 14: Limitations (3 minutes)

"Now that we’ve seen the strengths and capabilities of UNICORN, let’s take a moment to
acknowledge its limitations.

1. Training Data Dependence: One of the main challenges for UNICORN is that it relies
on having a comprehensive, accurate dataset of benign system behavior to model
normal activity. If this dataset doesn’t fully represent the complexities of real-world
systems, the model may fail to distinguish between legitimate behavior and malicious
activity. This could lead to false alarms or missed detections.
For example, if an organization’s system behaves differently during normal operations
than what was observed during the training phase, UNICORN may misclassify it as an
anomaly, even though it’s just part of the regular system evolution.

2. Manual Intervention for False Positives: Although UNICORN signi cantly reduces
false positives compared to previous systems, it’s important to note that false positives
still require manual veri cation. This can delay the response time to potential threats,
especially when there’s a high volume of alerts or if the anomalies are dif cult for non-
experts to interpret. Ideally, automation could help alleviate this issue, but for now,
human oversight is necessary to verify the anomalies agged by UNICORN.

3. Limited Scope: While UNICORN excels at detecting Advanced Persistent Threats, it has
primarily been focused on APT detection. This means it hasn’t been fully tested against a
broader range of cyber threats, such as insider attacks, ransomware, or other types of
advanced malware that might require a slightly different detection approach. Expanding
fi
fi
fl
fi
fi
 its scope to handle a wider range of attacks would increase its utility and effectiveness in
diverse environments.

So, while UNICORN is a signi cant improvement over traditional systems, there’s still room for
development, particularly in expanding its application to a broader set of cyber threats."

Slide 15: New Work and Emerging Trends (3 minutes)

"Looking toward the future, there are several exciting developments and emerging trends in the
eld of provenance-based detection that could enhance UNICORN’s capabilities even further.

1. Extending Provenance-Based Techniques: Provenance-based anomaly detection is

gaining traction outside of APT detection. For example, in fraud detection within
nancial systems, provenance-based methods can trace the ow of transactions,
identifying suspicious patterns over time. Similarly, in healthcare systems, provenance
can track the interactions between patients, doctors, and medical records to detect
fraudulent activities or errors that might indicate an attack or system compromise. The
adaptability of provenance-based methods means that they can be integrated into a
variety of industries, making them a powerful tool in detecting not just APTs, but also a
broader range of anomalies.

2. Machine Learning Integration: Another emerging trend is the incorporation of

machine learning (ML) into provenance-based systems like UNICORN. While
UNICORN uses evolutionary modeling to adapt to system behavior over time, combining
it with advanced machine learning models could enhance its ability to identify patterns in
the data that humans might miss. By applying unsupervised learning techniques,
UNICORN could potentially improve its anomaly detection, even as system behaviors
evolve in ways it hasn’t been trained on. For example, ML could allow UNICORN to
automatically update its models without manual intervention, improving detection
accuracy over time and reducing the need for frequent retraining.

3. Real-Time Scalable Solutions: The need for real-time and scalable solutions to combat
sophisticated cyber threats is growing. As networks and systems become more complex,
the ability to monitor and analyze data in real-time is becoming a critical requirement for
effective cybersecurity. UNICORN, with its ability to process large volumes of data
ef ciently, represents the kind of real-time solution that is likely to become a standard in
the industry. As more organizations adopt cloud-based systems, distributed environments,
and IoT devices, scalable anomaly detection systems like UNICORN will be vital for
keeping pace with these ever-expanding networks.

In summary, the eld is evolving rapidly, and there are exciting opportunities to expand
provenance-based detection into new domains and enhance its capabilities with machine learning
and other advanced techniques."
fi
fi
fi
fi
fi
fl
Slide 16: Conclusion (2 minutes)

"To wrap up, UNICORN is a transformative system that leverages the power of provenance-
based anomaly detectionto effectively detect Advanced Persistent Threats. Let’s recap the key
points:

• UNICORN analyzes the entire system’s historical behavior, providing a rich, contextual
understanding of normal operations, which is crucial for spotting stealthy, low-and-slow
attacks.
• It performs real-time detection without being burdened by computational limitations,
thanks to techniques like graph sketching and time-weighted encoding.
• The system demonstrates a signi cant improvement in precision and recall compared to
existing methods, with a 24% increase in precision and a 30% improvement in recall.
Moreover, its ability to balance accuracy, ef ciency, and scalability makes it a powerful tool for
organizations looking to protect themselves against APTs.

As an open-source framework, UNICORN also sets a solid foundation for future research and
development, encouraging collaboration and further innovation in the eld of cybersecurity.

Thank you very much for your time and attention. I’m happy to take any questions you might
have."
fi
fi
fi