Paper | Documentation | Installation
The first framework designed to build and experiment with provenance-based intrusion detection systems (PIDSs) using deep learning architectures. It provides a single codebase to run most recent state-of-the-arts systems and easily customize them to develop new variants.
Currently supported PIDSs:
- Velox (USENIX Sec'25): Sometimes Simpler is Better: A Comprehensive Analysis of State-of-the-Art Provenance-Based Intrusion Detection Systems
- Orthrus (USENIX Sec'25): ORTHRUS: Achieving High Quality of Attribution in Provenance-based Intrusion Detection Systems
- R-Caid (IEEE S&P'24): R-CAID: Embedding Root Cause Analysis within Provenance-based Intrusion Detection
- Flash (IEEE S&P'24): Flash: A Comprehensive Approach to Intrusion Detection via Provenance Graph Representation Learning
- Kairos (IEEE S&P'24): Kairos: Practical Intrusion Detection and Investigation using Whole-system Provenance
- Magic (USENIX Sec'24): MAGIC: Detecting Advanced Persistent Threats via Masked Graph Representation Learning
- NodLink (NDSS'24): NODLINK: An Online System for Fine-Grained APT Attack Detection and Investigation
- ThreaTrace (IEEE TIFS'22): THREATRACE: Detecting and Tracing Host-Based Threats in Node Level Through Provenance Graph Learning
git clone https://github.com/ubc-provenance/PIDSMaker.git
We have made the installation of DARPA TC/OpTC easy and fast, simply follow these guidelines.
A comprehensive documentation is available, explaining all possible arguments and providing examples on how integrating new systems.
Once you have a shell in the pids container, experiments can be run in multiple ways.
- Replace
SYSTEMbyvelox | orthrus | nodlink | threatrace | kairos | rcaid | flash | magic. - Replace
DATASETbyCLEARSCOPE_E3 | CADETS_E3 | THEIA_E3 | CLEARSCOPE_E5 | THEIA_E5 | optc_h201 | optc_h501 | optc_h051.
-
Run in the shell, no W&B:
python pidsmaker/main.py SYSTEM DATASET --tuned
-
Run in the shell, monitored to W&B:
python pidsmaker/main.py SYSTEM DATASET --tuned --wandb
-
Run in background, monitored to W&B (ideal for multiple parallel runs):
./run.sh SYSTEM DATASET --tuned
You can still watch the logs in your shell using tail -f nohup.out
Warning: Before performing evaluations, you should tune all systems. Follow the instructions available in our documentation.
If you use this work, please cite the following paper:
@inproceedings{bilot2025simpler,
title={{Sometimes Simpler is Better: A Comprehensive Analysis of State-of-the-Art Provenance-Based Intrusion Detection Systems}},
author={Bilot, Tristan and Jiang, Baoxiang and Li, Zefeng and El Madhoun, Nour and Al Agha, Khaldoun and Zouaoui, Anis and Pasquier, Thomas},
booktitle={Security Symposium (USENIX Sec'25)},
year={2025},
organization={USENIX}
}
Pull requests are welcome! Please follow the contribution guidelines.
See licence.
![@github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=64&v=4){kind=small}