Slide 1: Title Slide (1 minute)

"Good [morning/afternoon], everyone. Thank you for joining me today.

I’m here to present UNICORN: Runtime Provenance-Based Detector for

Advanced Persistent Threats, a novel system that tackles one of the most
challenging cyber threats of our time.

This work was conducted by researchers Xueyuan Han, Thomas Pasquier,

Adam Bates, James Mickens, and Margo Seltzer and was presented at the
NDSS 2020 conference. In this presentation, I will walk you through the chal-
lenges posed by Advanced Persistent Threats—or APTs—and explain how
UNICORN leverages innovative techniques to detect and counter these at-
tacks effectively."

Slide 2: Introduction to APTs (4 minutes)

"Let’s begin by understanding what Advanced Persistent Threats, or APTs,

are.

APTs are stealthy, long-term cyberattacks often carried out by highly skilled
groups, including nation-state actors. These groups target critical infrastruc-
tures, organizations, or governments, aiming to steal data, perform espi-
onage, or disrupt operations.

What sets APTs apart from traditional attacks is their 'low-and-slow' ap-
proach. Instead of acting quickly and noticeably, they operate over weeks,
months, or even years, making minimal changes to avoid detection. Addi-
tionally, they often exploit zero-day vulnerabilities—unknown security flaws—
making them nearly impossible to stop with signature-based systems.

Traditional detection systems face several challenges:

1. Signature-based methods: These rely on known attack patterns, so

they can’t detect zero-day exploits or new types of attacks.
2. Short-term anomaly detection systems: These tools analyze short
bursts of system activity and are ineffective at identifying the pro-
longed, subtle behavior of APTs.
This brings us to UNICORN, which uses a groundbreaking approach called
provenance-based anomaly detection. By analyzing the entire historical
context of a system’s activities, UNICORN can uncover subtle anomalies that
indicate an APT, even in its early stages."

Slide 3: Problem Statement (3 minutes)

"Now let’s dive deeper into the problem.

The primary challenge in detecting APTs lies in their stealth and prolonged
nature. These attacks operate in such a way that they blend into the normal
behavior of a system.

There are three main challenges:

1. Signature-based systems are blind to zero-day exploits because

these attacks leave no predefined patterns to match against.
2. Short-term anomaly detectors only analyze brief windows of sys-
tem behavior and miss the slow, evolving patterns of APTs.
3. APTs often mimic normal system operations, making them difficult to
distinguish from legitimate activity.
Conventional systems, therefore, struggle to identify these long-term, subtle
attack patterns. The objective of UNICORN is to overcome these limitations
by focusing on whole-system, long-term behavior analysis."

Slide 4: Importance (4 minutes)

"Let’s talk about why detecting APTs is so critical.

APTs often target high-value assets, such as government networks, financial

institutions, and healthcare systems. Their potential for harm is enormous:

• Financial loss: Organizations lose millions through stolen data or dis-

rupted operations.
• Operational impact: APTs can cause downtime for critical services.
• Reputational damage: Once a breach is revealed, trust in an organi-
zation or even a nation is compromised.
Some well-known examples include:

• Stuxnet, which targeted Iran’s nuclear facilities and caused significant

physical damage.
• GhostNet, which affected over 100 countries by stealing sensitive in-
formation through phishing campaigns.
• Deep Panda, a group that breached U.S. government systems, expos-
ing personal information of millions of federal employees.
Detecting APTs isn’t just about security—it’s about protecting infrastructure,
economies, and national interests. This underscores the importance of sys-
tems like UNICORN."

Slide 5: Major Contributions (3-4 minutes)

"Let’s now explore the major contributions of UNICORN. These innovations

make it a significant advancement in the fight against APTs.
The first major contribution is provenance-based detection. Provenance
refers to the history of system activities, tracking actions such as which files
were accessed, which processes were started, and how data flowed between
different components of the system. By analyzing this data, UNICORN can
build a detailed timeline of system behavior and detect anomalies that occur
over a long period, which is critical for identifying stealthy APTs.

Second, UNICORN introduces real-time detection using whole-system

provenance. Unlike previous systems that focus on static snapshots of data
or events, UNICORN analyzes a live, streaming flow of system activity. This
allows it to detect APTs as they unfold, rather than after the fact. This real-
time detection is crucial in environments where timely responses are neces-
sary to mitigate the damage caused by an APT.

Third, time-weighted provenance encoding is another key innovation. In

simple terms, this technique compresses historical data into a compact rep-
resentation, which retains the essential patterns but doesn’t require im-
mense computational resources to store and process. This means UNICORN
can efficiently track system behavior over long periods without being over-
whelmed by data volume. It allows for efficient anomaly detection even when
analyzing years of system behavior.

Together, these contributions make UNICORN not just a detection system,

but a solution that can provide ongoing, real-time insights into system be-
havior, increasing the chances of detecting advanced, long-running threats
like APTs."

Slide 6: Advancing the State of the Art (3-4 minutes)

"Let’s talk about how UNICORN advances the state of the art in intrusion
detection.

First, existing rule-based systems are often unable to handle new or

emerging threats, especially zero-day exploits. Rule-based systems require
predefined rules or signatures, which means they are only effective against
known attack patterns. However, APTs often exploit vulnerabilities that have
never been seen before, so rule-based systems can’t detect them. UNI-
CORN’s approach eliminates this problem by using anomaly detection
rather than relying on predefined attack signatures. By analyzing the entire
system’s behavior over time, UNICORN can identify novel attack patterns,
even if they’ve never been encountered before.

Next, let’s look at single-hop graph exploration. In many traditional

graph-based systems, the analysis is limited to a small part of the data or
only looks at immediate neighbors in a graph. This makes it hard to detect
more sophisticated attacks that span multiple system components or involve
subtle changes over time. UNICORN overcomes this limitation by using mul-
ti-hop graph exploration, where it looks at a broader context of system
behavior. This allows it to detect patterns that might have been missed with
single-hop approaches.

Finally, existing snapshot-based models typically analyze system activity

at a single point in time and can’t handle the long-term nature of APTs. As
we’ve discussed, APTs are slow, stealthy, and often evolve over time, which
is why snapshot-based approaches are inadequate. UNICORN uses evolu-
tionary modeling to adapt to ongoing changes in system behavior over
time, creating a much more flexible system that can handle the dynamic na-
ture of APTs.

With these innovations, UNICORN is far more capable of identifying attacks

that occur gradually, over long periods, without being influenced by momen-
tary spikes in activity.”

Advanced Persistent Threats operate in multiple phases

Slide 7: Main Methods Overview + Flowchart (5 minutes)

"Let’s take a closer look at how UNICORN works in practice. This flowchart
gives a high-level overview of the process.

1. Input – Provenance Graphs: UNICORN starts by gathering labeled,

streaming provenance graphs. These graphs capture all the activi-
ties within the system, such as file accesses, process creation, and
communications between processes. These graphs provide a detailed
view of how system entities interact over time.

◦ The beauty of this approach is that provenance graphs allow UNI-

CORN to track long-term interactions and causal relationships be-
tween system entities, even if these interactions occur over long
periods. This is essential for detecting low-and-slow attacks,
like APTs, which are stealthy and gradual.
2. Graph Histogram: The next step is to convert this data into a graph
histogram. The system summarizes these interactions, capturing the
most relevant features of the graph without overwhelming the system
with excessive details. This histogram is a more efficient representa-
tion of the graph and enables UNICORN to handle large volumes of
data in real-time.

◦ It captures how often specific interactions occur over time, giving

the system an overview of system behavior. For example, it
 might track how frequently a file is accessed, or how often a
process is spawned by another process.
3. Graph Sketching: After this, UNICORN uses HistoSketch, a tech-
nique for graph sketching, to compress these histograms into fixed-
size representations. What this means is that, instead of storing the en-
tire graph, UNICORN uses a compact summary that still preserves the
key features of the data, like Jaccard similarity, which helps compare
the data efficiently.

◦ This step is critical because it allows UNICORN to detect anom-

alies in real-time, without being bogged down by the computa-
tional costs of processing massive graphs. By creating these
smaller sketches, UNICORN can analyze a system’s entire history
of activity, no matter how large, in an efficient manner.
4. Clustering and Anomaly Detection: The final step in the process is
clustering. UNICORN groups these sketches into clusters that repre-
sent normal system behavior. Then, whenever new data comes in, the
system compares it to the learned clusters. If the new data signifi-
cantly deviates from the established clusters, it is flagged as an anom-
aly.

◦ This anomaly detection is the heart of the system’s ability to

identify APTs. Since APTs involve activities that deviate from nor-
mal system operations but do so over long periods, this approach
helps catch those deviations early—before they cause major
damage.
This flowchart encapsulates the key stages in UNICORN’s methodology,
transforming complex, real-time system data into actionable insights that
can detect even the most subtle and prolonged attacks."

Slide 8: Provenance Graphs (3–4 minutes)

"Let’s take a closer look at provenance graphs, which form the backbone
of UNICORN’s detection system.

A provenance graph is a representation of all system activities and their rela-

tionships over time. In this graph:

• Nodes represent entities such as files, processes, or users.

• Edges represent interactions or information flow, such as a file being
read, a process being created, or a user accessing data.
The unique advantage of provenance graphs lies in their ability to track
causal relationships between these entities. This means that even if two
actions are separated by time, the graph can connect them through their de-
pendencies, revealing long-term patterns of system behavior.
For example, consider an attacker who gains access to a system, downloads
malicious files, and later modifies a critical configuration file. Individually,
these actions might seem harmless, but a provenance graph can trace the
connections between them, flagging the sequence as suspicious.

By analyzing the entire historical context of a system’s actions, provenance

graphs allow UNICORN to detect stealthy, low-and-slow attacks that would
otherwise go unnoticed."

Slide 9: Graph Sketching (3–4 minutes)

"Provenance graphs, while powerful, can grow to massive sizes, especially in

long-running systems with billions of interactions. Analyzing such large
graphs in real-time poses a significant computational challenge.

This is where graph sketching comes into play. UNICORN uses a technique
called HistoSketch to compress large provenance graphs into fixed-size
representations, or 'sketches.' These sketches summarize the essential fea-
tures of the graph while discarding redundant information.

Here’s how it works:

• Jaccard Similarity: HistoSketch uses this mathematical approach to

measure the overlap between different parts of the graph.
• Fixed-Size Summaries: The result is a compact, fixed-size sketch
that retains key information about the graph’s structure and behavior.
The trade-off is elegant: by sacrificing a small amount of detail, UNICORN
achieves significant gains in computational efficiency. This enables the sys-
tem to analyze data streams in real-time without requiring excessive mem-
ory or processing power.

For example, instead of comparing every detail in a massive graph, UNICORN

can compare the compressed sketches to quickly identify anomalies. This
balance between efficiency and accuracy is crucial for detecting APTs in real-
world systems."

Slide 10: Implementation (3–4 minutes)

"Let’s now discuss how UNICORN was implemented to handle the complexi-
ties of real-world systems.

The architecture of UNICORN combines several technologies for scalability

and efficiency:

1. GraphChi: At its core, UNICORN uses GraphChi, a graph processing

engine designed for handling large-scale graphs.
 ◦ GraphChi splits the graph into manageable pieces, called
shards, and processes them efficiently. This eliminates the need
to load the entire graph into memory, making it ideal for systems
with limited resources.
◦ For example, even with billions of interactions in a system,
GraphChi ensures that UNICORN operates smoothly without per-
formance bottlenecks.
2. Python: Other components, such as data parsing and modeling, were
implemented in Python. This provides flexibility for rapid development
and integration with other tools.
3. Vertex-Centric Processing: UNICORN processes the graph node by
node, rather than analyzing the entire graph at once.
◦ This approach minimizes memory usage and enables real-time
anomaly detection by focusing only on the relevant portions of
the graph.
By combining these elements, UNICORN can process and analyze massive
datasets efficiently. This scalability is critical for detecting APTs in modern,
high-volume environments, where systems generate billions of events every
day."

Slide 11: Results – StreamSpot Dataset

"Let’s now discuss the results, starting with the StreamSpot dataset, which
is used as a baseline for comparison.

• Context: This dataset includes information flow graphs from benign

activities, like web browsing, and simulated attack scenarios.
• Performance: UNICORN achieved a 24% improvement in precision
and a 30% increase in recall compared to the StreamSpot system.
• Key Insight: UNICORN’s ability to analyze larger graph neighborhoods
significantly reduced false positives and improved detection accuracy.
This demonstrates UNICORN’s strength in environments where stealthy at-
tacks might otherwise blend into benign activities."

Slide 12: Results – DARPA TC Dataset

"Next is the DARPA Transparent Computing dataset, which includes

real-world APT scenarios.

• Performance: UNICORN achieved a 99% detection accuracy across

various systems and platforms, including FreeBSD and Linux.
• Flexibility: It adapted to different provenance capture systems like
CADETS and THEIA, showcasing its versatility.
 • Key Insight: Even when attacks made up less than 0.001% of the to-
tal system activity, UNICORN successfully detected anomalies without
prior attack knowledge.
This result highlights UNICORN’s exceptional ability to operate in diverse and
high-volume data environments."

Slide 13: Results – Simulated SC Dataset

"Finally, let’s look at the Simulated Supply Chain dataset, which mimics
APTs targeting software delivery pipelines.

• Scenario: These attacks followed typical APT phases, such as recon-

naissance, exploitation, and command and control.
• Performance: UNICORN identified the attacks early in their lifecycle,
with an 85% precision and 96% recall in one scenario, and compara-
ble results in another.
• Key Insight: By detecting anomalies during the delivery phase, UNI-
CORN prevented these attacks from escalating further.
This demonstrates UNICORN’s potential to detect early-stage APTs, espe-
cially in critical systems like software supply chains."

Slide 14: Limitations (3 minutes)

"Now that we’ve seen the strengths and capabilities of UNICORN, let’s take a
moment to acknowledge its limitations.

1. Training Data Dependence: One of the main challenges for UNI-

CORN is that it relies on having a comprehensive, accurate dataset of
benign system behavior to model normal activity. If this dataset
doesn’t fully represent the complexities of real-world systems, the
model may fail to distinguish between legitimate behavior and mali-
cious activity. This could lead to false alarms or missed detections.
For example, if an organization’s system behaves differently during
normal operations than what was observed during the training phase,
UNICORN may misclassify it as an anomaly, even though it’s just part
of the regular system evolution.

2. Manual Intervention for False Positives: Although UNICORN sig-

nificantly reduces false positives compared to previous systems, it’s
important to note that false positives still require manual verification.
This can delay the response time to potential threats, especially when
there’s a high volume of alerts or if the anomalies are difficult for non-
experts to interpret. Ideally, automation could help alleviate this issue,
but for now, human oversight is necessary to verify the anomalies
flagged by UNICORN.
 3. Limited Scope: While UNICORN excels at detecting Advanced Persis-
tent Threats, it has primarily been focused on APT detection. This
means it hasn’t been fully tested against a broader range of cyber
threats, such as insider attacks, ransomware, or other types of ad-
vanced malware that might require a slightly different detection ap-
proach. Expanding its scope to handle a wider range of attacks would
increase its utility and effectiveness in diverse environments.

So, while UNICORN is a significant improvement over traditional systems,

there’s still room for development, particularly in expanding its application to
a broader set of cyber threats."

Slide 15: New Work and Emerging Trends (3 minutes)

"Looking toward the future, there are several exciting developments and
emerging trends in the field of provenance-based detection that could en-
hance UNICORN’s capabilities even further.

1. Extending Provenance-Based Techniques: Provenance-based

anomaly detection is gaining traction outside of APT detection. For ex-
ample, in fraud detection within financial systems, provenance-based
methods can trace the flow of transactions, identifying suspicious pat-
terns over time. Similarly, in healthcare systems, provenance can
track the interactions between patients, doctors, and medical records
to detect fraudulent activities or errors that might indicate an attack or
system compromise. The adaptability of provenance-based methods
means that they can be integrated into a variety of industries, making
them a powerful tool in detecting not just APTs, but also a broader
range of anomalies.

2. Machine Learning Integration: Another emerging trend is the incor-

poration of machine learning (ML) into provenance-based systems
like UNICORN. While UNICORN uses evolutionary modeling to adapt to
system behavior over time, combining it with advanced machine learn-
ing models could enhance its ability to identify patterns in the data
that humans might miss. By applying unsupervised learning tech-
niques, UNICORN could potentially improve its anomaly detection,
even as system behaviors evolve in ways it hasn’t been trained on. For
example, ML could allow UNICORN to automatically update its models
without manual intervention, improving detection accuracy over time
and reducing the need for frequent retraining.
3. Real-Time Scalable Solutions: The need for real-time and scalable
solutions to combat sophisticated cyber threats is growing. As net-
works and systems become more complex, the ability to monitor and
analyze data in real-time is becoming a critical requirement for effec-
 tive cybersecurity. UNICORN, with its ability to process large volumes
of data efficiently, represents the kind of real-time solution that is
likely to become a standard in the industry. As more organizations
adopt cloud-based systems, distributed environments, and IoT devices,
scalable anomaly detection systems like UNICORN will be vital for
keeping pace with these ever-expanding networks.

In summary, the field is evolving rapidly, and there are exciting opportunities
to expand provenance-based detection into new domains and enhance its
capabilities with machine learning and other advanced techniques."

Slide 16: Conclusion (2 minutes)

"To wrap up, UNICORN is a transformative system that leverages the power
of provenance-based anomaly detectionto effectively detect Advanced
Persistent Threats. Let’s recap the key points:

• UNICORN analyzes the entire system’s historical behavior, providing a

rich, contextual understanding of normal operations, which is cru-
cial for spotting stealthy, low-and-slow attacks.
• It performs real-time detection without being burdened by computa-
tional limitations, thanks to techniques like graph sketching and
time-weighted encoding.
• The system demonstrates a significant improvement in precision
and recall compared to existing methods, with a 24% increase in
precision and a 30% improvement in recall.
Moreover, its ability to balance accuracy, efficiency, and scalability
makes it a powerful tool for organizations looking to protect themselves
against APTs.

As an open-source framework, UNICORN also sets a solid foundation for

future research and development, encouraging collaboration and further in-
novation in the field of cybersecurity.

Thank you very much for your time and attention. I’m happy to take any
questions you might have."