Hongbin Sun,Su Wang,Zhiliang Wang,Zheyu Jiang,Dongqi Han,Jiahai Yang

DOI: https://doi.org/10.1145/3678890.3679048

2024-01-01

Abstract:Recently enterprises and governments face escalating APT attacks, leading to significant economic losses. APT attacks often persist for extended periods, necessitating the storage of extensive audit logs for effective detection. To reduce data storage overhead, enterprises commonly adopt compression strategies. However, efficient compression strategies may introduce additional query overhead. Existing approaches propose data reduction algorithms, but these methods can compromise data integrity, rendering current attack investigation and anomaly-based intrusion detection ineffective. To address these difficulties, we present AudiTrim, a system that ensures real-time, general, efficient, and low-overhead data compaction without compromising attack investigation and anomaly-based intrusion detection. It efficiently reduces log sizes without impacting user experiences, achieving real-time compaction and adaptable deployment on different operating systems. AudiTrim employs two strategies: 1) Data Reduction: By analyzing the types of duplicate edges, our data reduction approach not only considers a broader range of scenarios for redundant edges compared to previous methods but also enhances the efficiency of data reduction. 2) Data Compression: By aggregating log information at the server-side and training a compression model, we facilitate a data compression algorithm that ensures ease of querying. Both strategies meet real-time, low-overhead, and general requirements, fulfilling enterprise data storage needs. The final compaction ratio reaches 26×-65×.

Tiantian Zhu,Jiayu Wang,Linqi Ruan,Chunlin Xiong,Jinkai Yu,Yaosheng Li,Yan Chen,Mingqi Lv,Tieming Chen

DOI: https://doi.org/10.1109/tifs.2021.3076288

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The damage caused by Advanced Persistent Threat (APT) attacks to governments and large enterprises is gradually escalating. Once an attack event is detected, forensic analysis will use the dependencies between system audit logs to rapidly locate intrusion points and determine the impact of the attacks. Due to the high persistence of APT attacks, huge amounts of data will be stored to meet the needs of forensic analysis, which not only brings great storage overhead, but also sharply increases the computing costs. To compact data without affecting forensic analysis, several methods have been proposed. However, in real-world scenarios, we meet the problems of weak cross-platform capability, large data processing overhead, and poor real-time performance, rendering existing data compaction methods difficult to meet the usability and universality requirements jointly. To overcome these difficulties, this paper proposes a general, efficient, and real-time data compaction method at the system log level; it does not involve internal analysis of the program or depend on the specific operating system type, and it includes two strategies: 1) data compaction of maintaining global semantics (GS), which determines and deletes redundant events that do not affect global dependencies, and 2) data compaction based on suspicious semantics (SS). Given that the purpose of forensic analysis is to restore the attack chain, SS performs context analysis on the remaining events from GS and further deletes the parts that are not related to the attack. The results of the real-world experiments show that the compaction ratios of our method to system events are as high as $4.36\times $ to $13.18\times $ and $7.86\times $ to $26.99\times $ on GS and SS, respectively, which is better than state-of-the-art studies.

Jianyu Jiang,Shixiong Zhao,Danish Alsayed,Yuexuan Wang,Heming Cui,Feng Liang,Zhaoquan Gu

DOI: https://doi.org/10.1145/3134600.3134607

2017-01-01

Abstract:Big-data frameworks (e.g., Spark) enable computations on tremendous data records generated by third parties, causing various security and reliability problems such as information leakage and programming bugs. Existing systems for big-data security (e.g., Titian) track data transformations in a record level, so they are imprecise and too coarse-grained for these problems. For instance, when we ran Titian to drill down input records that produced a buggy output record, Titian reported 3 to 9 orders of magnitude more input records than the actual ones. Information Flow Tracking (IFT) is a conventional approach for precise information control. However, extant IFT systems are neither efficient nor complete for big-data frameworks, because theses frameworks are data-intensive, and data flowing across hosts is often ignored by IFT. This paper presents KAKUTE, the first precise, fine-grained in- formation flow analysis system for big-data. Our insight on mak- ing IFT efficient is that most fields in a data record often have the same IFT tags, and we present two new efficient techniques called Reference Propagation and Tag Sharing. In addition, we design an efficient, complete cross-host information flow propagation approach. Evaluation on seven diverse big-data programs (e.g., WordCount) shows that KAKUTE had merely 32.3% overhead on average even when fine-grained information control was en abled. Compared with Titian, KAKUTE precisely drilled down the actual bug inducing input records, a huge reduction of 3 to 9 or ders of magnitude. KAKUTE's performance overhead is comparable with Titian. Furthermore, KAKUTE effectively detected 13 real world security and reliability bugs in 4 diverse problems, including information leakage, data provenance, programming and performance bugs. KAKUTE'S source code and results are available on https://github.com/hku-systems/kakute.

Yutao Tang,Ding Li,Zhichun Li,Mu Zhang,Kangkook Jee,Xusheng Xiao,Zhenyu Wu,Junghwan Rhee,Fengyuan Xu,Qun Li

DOI: https://doi.org/10.1145/3243734.3243763

2018-01-01

Abstract:Today's enterprises are exposed to sophisticated attacks, such as Advanced Persistent Threats~(APT) attacks, which usually consist of stealthy multiple steps. To counter these attacks, enterprises often rely on causality analysis on the system activity data collected from a ubiquitous system monitoring to discover the initial penetration point, and from there identify previously unknown attack steps. However, one major challenge for causality analysis is that the ubiquitous system monitoring generates a colossal amount of data and hosting such a huge amount of data is prohibitively expensive. Thus, there is a strong demand for techniques that reduce the storage of data for causality analysis and yet preserve the quality of the causality analysis. To address this problem, in this paper, we propose NodeMerge, a template based data reduction system for online system event storage. Specifically, our approach can directly work on the stream of system dependency data and achieve data reduction on the read-only file events based on their access patterns. It can either reduce the storage cost or improve the performance of causality analysis under the same budget. Only with a reasonable amount of resource for online data reduction, it nearly completely preserves the accuracy for causality analysis. The reduced form of data can be used directly with little overhead. To evaluate our approach, we conducted a set of comprehensive evaluations, which show that for different categories of workloads, our system can reduce the storage capacity of raw system dependency data by as high as 75.7 times, and the storage capacity of the state-of-the-art approach by as high as 32.6 times. Furthermore, the results also demonstrate that our approach keeps all the causality analysis information and has a reasonably small overhead in memory and hard disk.

Anne Tall,Jun Wang,Dezhi Han

DOI: https://doi.org/10.1145/3006299.3006336

2016-12-06

Abstract:Data intensive computing research and technology developments offer the potential of providing significant improvements in several security log management challenges. Approaches to address the complexity, timeliness, expense, diversity, and noise issues have been identified. These improvements are motivated by the increasingly important role of analytics. Machine learning and expert systems that incorporate attack patterns are providing greater detection insights. Finding actionable indicators requires the analysis to combine security event log data with other network data such and access control lists, making the big-data problem even bigger. Automation of threat intelligence is recognized as not complete with limited adoption of standards. With limited progress in anomaly signature detection, movement towards using expert systems has been identified as the path forward. Techniques focus on matching behaviors of attackers to patterns of abnormal activity in the network. The need to stream, parse, and analyze large volumes of small, semi-structured data files can be feasibly addressed through a variety of techniques identified by researchers. This report highlights research in key areas, including protection of the data, performance of the systems and network bandwidth utilization.

QIAN Qin,ZHANG Jian,ZHANG Kun,FU Xiao,MAO Bing

2014-01-01

Computer Science

Abstract:For the past few years,the amount of computer crime has been increasing year by year,and it is threatening various aspects of human society such as national politics,economy,and culture,etc.In modern society,the research on intrusion forensics and intrusion detection plays a significant role for fighting against computer crime,tracing intrusion,patching vulnerability and improving security system of computer network.However,with the popularity of Internet and the improving capacity of computers' storage,we often need to handle mass data about GB size,even up to TB size for intrusion forensics and intrusion detection.It inevitably makes much useful information submerge in redundant events,which brings about a huge challenge and low accuracy of analysis result.So it will be a topmost breakthrough to design a kind of technology for reducing redundant data and improving its accuracy and efficiency.This paper summarized several methods on intrusion forensics and intrusion detection.Firstly,this paper discoursed the development course of redundancy-reducing techniques and the application in traditional field such as medical domain.Then it systematically introduced all kinds of redundancy-reducing methods in intrusion forensics and intrusion detection.Finally,it figured out the existing problems and research direction in the future.It also gave some conclusions through the comparison on current situation of redundant data reducing techniques.

Jian Zhang,Xiao Fu,Xiaojiang Du,Bin Luo,Zhihong Zhao

DOI: https://doi.org/10.1109/ICDCSW.2013.7

2013-01-01

Abstract:An important data source for intrusion forensics is various types of logs from the systems and networks being investigated. However, there are still many problems when using these logs for forensic analysis. Firstly, with the development of computers and Internet, intrusion behaviors involve more types and more quantities of logs, and these massive and complex log evidences make forensics analyst overwhelmed. Secondly, among the large number of logs that investigators need to analyze, the data related to criminal behaviors only accounts for a very small proportion and most of the rest data are useless records resulted from normal behaviors. Large amount of forensic data and high proportion of useless records make it very difficult to investigate and collect evidences. In addition, this makes criminal behaviors that submerged in a large amount of useless records easily overlooked. This paper introduces a new method for the reduction of candidate log evidences for intrusion forensics. Its main idea is to extract the key attribute fields as features of log records and assign a score to each log record. This score is used to indicate the degree of redundancy of the record. The greater the score is, the more likely the records are redundant. Our experiments based on Darpa2000 and Snort real-world data show that this method can significantly reduce the interference caused by useless data for forensic analysis: it removes 57% and 82% useless data in Darpa2000 and the Snort real-world data, respectively.

Pengcheng Fang,Peng Gao,Changlin Liu,Erman Ayday,Kangkook Jee,Ting Wang,Yanfang (Fanny) Ye,Zhuotao Liu,Xusheng Xiao

DOI: https://doi.org/10.5281/zenodo.5559214

2022-01-01

Abstract:Causality analysis on system auditing data has emerged as an important solution for attack investigation. Given a POI (Point-Of-Interest) event (e.g., an alert fired on a suspicious file creation), causality analysis constructs a dependency graph, in which nodes represent system entities (e.g., processes and files) and edges represent dependencies among entities, to reveal the attack sequence. However, causality analysis often produces a huge graph ( > 100,000 edges) that is hard for security analysts to inspect. From the dependency graphs of various attacks, we observe that (1) dependencies that are highly related to the POI event often exhibit a different set of properties (e.g., data flow and time) from the less-relevant dependencies; (2) the POI event is often related to a few attack entries (e.g., downloading a file). Based on these insights, we propose DEPIMPACT, a framework that identifies the critical component of a dependency graph (i.e., a subgraph) by (1) assigning discriminative dependency weights to edges to distinguish critical edges that represent the attack sequence from less-important dependencies, (2) propagating dependency impacts backward from the POI event to entry points, and (3) performing forward causality analysis from the top-ranked entry nodes based on their dependency impacts to filter out edges that are not found in the forward causality analysis. Our evaluations on the 150 million real system auditing events of real attacks and the DARPA TC dataset show that DEPIMPACT can significantly reduce the large dependency graphs (similar to 1,000,000 edges) to a small graph (similar to 234 edges), which is 4611x smaller. The comparison with the other state-of-the-art causality analysis techniques shows that DEPIMPACT is 106x more effective in reducing the dependency graphs while preserving the attack sequences.

Wei Wang,Jiqiang Liu,Georgios Pitsilis,Xiangliang Zhang

DOI: https://doi.org/10.1016/j.ins.2016.10.023

IF: 8.1

2016-01-01

Information Sciences

Abstract:Anomaly intrusion detection in big data environments calls for lightweight models that are able to achieve real-time performance during detection. Abstracting audit data provides a solution to improve the efficiency of data processing in intrusion detection. Data abstraction refers to abstract or extract the most relevant information from the massive dataset. In this work, we propose three strategies of data abstraction, namely, exemplar extraction, attribute selection and attribute abstraction. We first propose an effective method called exemplar extraction to extract representative subsets from the original massive data prior to building the detection models. Two clustering algorithms, Affinity Propagation (AP) and traditional k-means, are employed to find the exemplars from the audit data. k-Nearest Neighbor (k-NN), Principal Component Analysis (PCA) and one-class Support Vector Machine (SVM) are used for the detection. We then employ another two strategies, attribute selection and attribute extraction, to abstract audit data for anomaly intrusion detection. Two http streams collected from a real computing environment as well as the KDD’99 benchmark data set are used to validate these three strategies of data abstraction. The comprehensive experimental results show that while all the three strategies improve the detection efficiency, the AP-based exemplar extraction achieves the best performance of data abstraction.

Wei Wang,Xiangliang Zhang,Georgios Pitsilis

DOI: https://doi.org/10.1007/978-3-642-17714-9_15

2010-01-01

Abstract:High speed of processing massive audit data is crucial for an anomaly Intrusion Detection System (IDS) to achieve real-time performance during the detection. Abstracting audit data is a potential solution to improve the efficiency of data processing. In this work, we propose two strategies of data abstraction in order to build a lightweight detection model. The first strategy is exemplar extraction and the second is attribute abstraction. Two clustering algorithms, Affinity Propagation (AP) as well as traditional k-means, are employed to extract the exemplars, and Principal Component Analysis (PCA) is employed to abstract important attributes (a.k.a. features) from the audit data. Real HTTP traffic data collected in our institute as well as KDD 1999 data are used to validate the two strategies of data abstraction. The extensive test results show that the process of exemplar extraction significantly improves the detection efficiency and has a better detection performance than PCA in data abstraction.

Jiaping Gui,Ding Li,Zhengzhang Chen,Junghwan Rhee,Xusheng Xiao,Mu Zhang,Kangkook Jee,Zhichun Li,Haifeng Chen

DOI: https://doi.org/10.1109/ICDE48307.2020.00151

2020-01-01

Abstract:While backtracking analysis has been successful in assisting the investigation of complex security attacks, it faces a critical dependency explosion problem. To address this problem, security analysts currently need to tune backtracking analysis manually with different case-specific heuristics. However, existing systems fail to fulfill two important system requirements to achieve effective backtracking analysis. First, there need flexible abstractions to express various types of heuristics. Second, the system needs to be responsive in providing updates so that the progress of backtracking analysis can be frequently inspected, which typically involves multiple rounds of manual tuning. In this paper, we propose a novel system, APTrace, to meet both of the above requirements. As we demonstrate in the evaluation, security analysts can effectively express heuristics to reduce more than 99.5% of irrelevant events in the backtracking analysis of real-world attack cases. To improve the responsiveness of backtracking analysis, we present a novel execution-window partitioning algorithm that significantly reduces the waiting time between two consecutive updates (especially, 57 times reduction for the top 1% waiting time).

Sadegh M. Milajerdi,Birhanu Eshete,Rigel Gjomemo,V.N. Venkatakrishnan

DOI: https://doi.org/10.48550/arXiv.1810.05711

2018-10-13

Abstract:Kernel audit logs are an invaluable source of information in the forensic investigation of a cyber-attack. However, the coarse granularity of dependency information in audit logs leads to the construction of huge attack graphs which contain false or inaccurate dependencies. To overcome this problem, we propose a system, called ProPatrol, which leverages the open compartmentalized design in families of enterprise applications used in security-sensitive contexts (e.g., browser, chat client, email client). To achieve its goal, ProPatrol infers a model for an application's high-level tasks as input-processing compartments using purely the audit log events generated by that application. The main benefit of this approach is that it does not rely on source code or binary instrumentation, but only on a preliminary and general knowledge of an application's architecture to bootstrap the analysis. Our experiments with enterprise-level attacks demonstrate that ProPatrol significantly cuts down the forensic investigation effort and quickly pinpoints the root- cause of attacks. ProPatrol incurs less than 2% runtime overhead on a commodity operating system.

Cryptography and Security

Liya Su,Yepeng Yao,Ning Li,Junrong Liu,Zhigang Lu,Baoxu Liu

DOI: https://doi.org/10.1109/TrustCom/BigDataSE.2018.00108

2018-08-01

Abstract:Attacks like APT have lasted for a long time which need suspicious flow detection on long-time data. However, the challenge of effectively analyzing massive data source for suspicious flow diagnosis is unmet yet. Consequently, flow data reduction should be adopted, which refers to abstract the most relevant information from the massive dataset. Existing approaches to sampling flow data are inherently inaccurate unless running at high sampling rate. In this paper, we proposed HCBS (Hierarchical Clustering Based Sampling), a flow data reduction scheme, to alleviate such problems. We study the characteristics of flow data relating malicious activities and employ hierarchical clustering to sample data for further deep detection. Experiments on 1999 DARPA dataset demonstrates that HCBS reduces the size of the flow data by 40% with only a small loss in accuracy and significantly outperforms the compared state-of-the-art.

Computer Science

Alina Oprea,Zhou Li,Ting-Fang Yen,Sang H. Chin,Sumayah Alrwais

DOI: https://doi.org/10.1109/dsn.2015.14

2015-01-01

Abstract:Recent years have seen the rise of sophisticated attacks including advanced persistent threats (APT) which pose severe risks to organizations and governments. Additionally, new malware strains appear at a higher rate than ever before. Since many of these malware evade existing security products, traditional defenses deployed by enterprises today often fail at detecting infections at an early stage. We address the problem of detecting early-stage APT infection by proposing a new framework based on belief propagation inspired from graph theory. We demonstrate that our techniques perform well on two large datasets. We achieve high accuracy on two months of DNS logs released by Los Alamos National Lab (LANL), which include APT infection attacks simulated by LANL domain experts. We also apply our algorithms to 38TB of web proxy logs collected at the border of a large enterprise and identify hundreds of malicious domains overlooked by state-of-the-art security products.

Han Yu,Aiping Li,Rong Jiang

DOI: https://doi.org/10.1109/icct46805.2019.8947201

2019-01-01

Abstract:In this paper, we present a system NeedleHunter to detect Advanced and Persistent Threats (APTs) and reconstruction of attack scenarios. Due to the information asymmetry between attackers and defenders, detecting APT attacks remains to be a challenge. Instead of targeting individual exploits, correlating the various stages of the attack is a substantially more feasible strategy. In our approach, we first construct a version-based provenance graph by analyzing system audit logs. Then, we use the rule-based technique to detection a particular stage of the attack, and connect these attacks to generate an attack path by leveraging the correlation between information flows. Also, we implement the compaction technique to compress the scale of the graph for scalable forensic analysis. An evaluation of our approach indicates that NeedleHunter can capture the key stages of APT campaigns with high precision and reconstruct the details of the attacks.

Darren Quick,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1007/s10586-016-0553-1

2016-03-21

Cluster Computing

Abstract:An issue that continues to impact digital forensics is the increasing volume of data and the growing number of devices. One proposed method to deal with the problem of “big digital forensic data”: the volume, variety, and velocity of digital forensic data, is to reduce the volume of data at either the collection stage or the processing stage. We have developed a novel approach which significantly improves on current practice, and in this paper we outline our data volume reduction process which focuses on imaging a selection of key files and data such as: registry, documents, spreadsheets, email, internet history, communications, logs, pictures, videos, and other relevant file types. When applied to test cases, a hundredfold reduction of original media volume was observed. When applied to real world cases of an Australian Law Enforcement Agency, the data volume further reduced to a small percentage of the original media volume, whilst retaining key evidential files and data. The reduction process was applied to a range of real world cases reviewed by experienced investigators and detectives and highlighted that evidential data was present in the data reduced forensic subset files. A data reduction approach is applicable in a range of areas, including: digital forensic triage, analysis, review, intelligence analysis, presentation, and archiving. In addition, the data reduction process outlined can be applied using common digital forensic hardware and software solutions available in appropriately equipped digital forensic labs without requiring additional purchase of software or hardware. The process can be applied to a wide variety of cases, such as terrorism and organised crime investigations, and the proposed data reduction process is intended to provide a capability to rapidly process data and gain an understanding of the information and/or locate key evidence or intelligence in a timely manner.

Jie Ying,Tiantian Zhu,Wenrui Cheng,Qixuan Yuan,Mingjun Ma,Chunlin Xiong,Tieming Chen,Mingqi Lv,Yan Chen

2024-05-04

Abstract:As the complexity and destructiveness of Advanced Persistent Threat (APT) increase, there is a growing tendency to identify a series of actions undertaken to achieve the attacker's target, called attack investigation. Currently, analysts construct the provenance graph to perform causality analysis on Point-Of-Interest (POI) event for capturing critical events (related to the attack). However, due to the vast size of the provenance graph and the rarity of critical events, existing attack investigation methods suffer from problems of high false positives, high overhead, and high latency. To this end, we propose SPARSE, an efficient and real-time system for constructing critical component graphs (i.e., consisting of critical events) from streaming logs. Our key observation is 1) Critical events exist in a suspicious semantic graph (SSG) composed of interaction flows between suspicious entities, and 2) Information flows that accomplish attacker's goal exist in the form of paths. Therefore, SPARSE uses a two-stage framework to implement attack investigation (i.e., constructing the SSG and performing path-level contextual analysis). First, SPARSE operates in a state-based mode where events are consumed as streams, allowing easy access to the SSG related to the POI event through semantic transfer rule and storage strategy. Then, SPARSE identifies all suspicious flow paths (SFPs) related to the POI event from the SSG, quantifies the influence of each path to filter irrelevant events. Our evaluation on a real large-scale attack dataset shows that SPARSE can generate a critical component graph (~ 113 edges) in 1.6 seconds, which is 2014 X smaller than the backtracking graph (~ 227,589 edges). SPARSE is 25 X more effective than other state-of-the-art techniques in filtering irrelevant edges.

Cryptography and Security

Zhou Li,Alina Oprea

DOI: https://doi.org/10.1109/secdev.2016.015

2016-01-01

Abstract:Enterprises today are facing an increasing number of criminal threats ranging from financially motivated and opportunistic malware to more advanced targeted attacks organized by nation-state actors. To protect against these threats, enterprises deploy a number of perimeter defenses, including traditional controls (anti-virus software, intrusion detection systems, firewalls) and more advanced techniques (web proxies or deep packet inspection products). Organizations collect and store the log data generated by these security controls, but this data is most of the time used for forensic investigation once an attack has been discovered by an external mechanism. In this paper, we describe a security log analytics framework for proactive breach detection, which we have tested on three applications. We summarize the algorithms and detection results from our previous work ([13, 20, 21]). Compared to other research in this area, our framework analyzes multiple sources of security logs, performs large-scale analysis, and is continuously refined from feedback given by security experts. Our techniques have been successfully used in operational setting in a large organization and are currently integrated in a real-time behavior analytics product.

Huan Zhang,Lijun Cai,Lixin Zhao,Aimin Yu,Jiangang Ma,Dan Meng

DOI: https://doi.org/10.1109/milcom55135.2022.10017626

2022-01-01

Abstract:Cyber attacks on enterprises and organizations have increased dramatically recently. Endpoint monitoring systems are widely deployed in enterprises and organizations to stop these attacks. System audit logs are the critical data resource of endpoint monitoring, containing trustworthy and comprehensive records for forensic investigation and behavior analysis. However, analyzing and understanding system audit logs is challenging due to the massive volume and low semantics of system events. This paper proposes LogMiner, a system audit log reduction approach based on behavior pattern mining. The key insight is that, user behavior exhibits unique and stable characteristics in system audit logs. Discovering the distinct pattern in system events and replacing them with behaviors provides a new log reduction strategy. LogMiner automatically extracts patterns of user behaviors from system events and identifies behaviors in audit logs upon these patterns. Experimental results on real-world data show that the reduction rate of LogMiner to system events is as high as 245.6x on average. In addition, LogMiner can accurately distinguish user behaviors and achieves an average F1 score of 100% on behavior identification.

Feng Dong,Liu Wang,Xu Nie,Fei Shao,Haoyu Wang,Ding Li,Xiapu Luo,Xusheng Xiao

2023-01-01

Abstract:Building provenance graph that considers causal relationships among software behaviors can better provide contextual information of cyber attacks, especially for advanced attacks such as Advanced Persistent Threat (APT) attacks. Despite its promises in assisting attack investigation, existing approaches that use provenance graphs to perform attack detection suffer from two fundamental limitations. First, existing approaches adopt a centralized detection architecture that sends all system auditing logs to the server for processing, incurring intolerable costs of data transmission, data storage, and computation. Second, they adopt either rule-based techniques that cannot detect unknown threats, or anomaly-detection techniques that produce numerous false alarms, failing to achieve a balance of precision and recall in APT detection. To address these fundamental challenges, we propose DISTDET, a distributed detection system that detects APT attacks by (1) performing light weight detection based on the host model built in the client side, (2) filtering false alarms based on the semantics of the alarm proprieties, and (3) deriving global models to complement the local bias of the host models. Our experiments on a large-scale industrial environment (1,130 hosts, 14 days, similar to 1.6 billion events) and the DARPA TC dataset show that DISTDET is as effective as sate-of-the-art techniques in detecting attacks, while dramatically reducing network bandwidth from 11.28Mb/s to 17.08Kb/S (676.5x reduction), memory usages from 364MB to 5.523MB (66x reduction), and storage from 1.47GB to 130.34MB (11.6x reduction). By the time of this writing, DISTDET has been deployed to 50+ industry customers with 22,000+ hosts for more than 6 months, and identified over 900 real-world attacks.