Merge pull request #31 from ubc-provenance/dev

Update the docs

Author: TristanBilot

.github/img/pidsmaker_new.png

@@ -1,24 +1,16 @@
-
 <p align="center">
-  <img width="50%" src="./.github/img/pidsmaker.png" alt="PIDSMAKER logo"/><br><br>
-
-  <a href="https://ubc-provenance.github.io/PIDSMaker/">
-    <img src="https://img.shields.io/badge/docs-online-pink.svg" alt="Documentation"/>
-  </a>
-  <a href="https://doi.org/10.5281/zenodo.15603122">
-  <img src="https://img.shields.io/badge/DOI-10.5281%2Fzenodo.15603122-blue?logo=zenodo" alt="DOI"/>
-</a>
-  <img src="https://img.shields.io/github/license/ubc-provenance/PIDSMaker?color=red" alt="License"/>
-  </a>
-  <a href="https://github.com/ubc-provenance/PIDSMaker/releases">
-    <img src="https://img.shields.io/github/v/release/ubc-provenance/PIDSMaker" alt="Latest Release"/>
-  </a>
-   <a href="https://github.com/ubc-provenance/PIDSMaker/stargazers">
-    <img src="https://img.shields.io/github/stars/ubc-provenance/PIDSMaker" alt="Stars"/>
-  </a>
+  <img width="80%" src="./.github/img/pidsmaker_title.png" alt="PIDSMAKER logo"/>
 </p>
 
----
+<div align="center">
+
+[![Docs](https://img.shields.io/badge/Docs-Online-ed6a2f?style=flat&labelColor=gray)](https://ubc-provenance.github.io/PIDSMaker/)
+[![DOI](https://img.shields.io/badge/DOI-10.5281/zenodo.15603122-ed6a2f?style=flat&labelColor=gray)](https://doi.org/10.5281/zenodo.15603122)
+[![License](https://img.shields.io/github/license/ubc-provenance/PIDSMaker?style=flat&color=ed6a2f&labelColor=gray)](LICENSE)
+[![Release](https://img.shields.io/github/v/release/ubc-provenance/PIDSMaker?style=flat&color=ed6a2f&labelColor=gray)](https://github.com/ubc-provenance/PIDSMaker/releases)
+[![Stars](https://img.shields.io/github/stars/ubc-provenance/PIDSMaker?style=flat&color=ed6a2f&labelColor=white&logo=github&logoColor=black)](https://github.com/ubc-provenance/PIDSMaker/stargazers)
+
+</div>
 
 <p align="center">
   <strong>
@@ -30,23 +22,56 @@
   </strong>
 </p>
 
+---
+
 The first framework designed to build and experiment with provenance-based intrusion detection systems (PIDSs) using deep learning architectures.
 It provides a single codebase to run most recent state-of-the-arts systems and easily customize them to develop new variants.
 
-**Currently supported PIDSs**:
-- **Velox** (USENIX Sec'25): [Sometimes Simpler is Better: A Comprehensive Analysis of State-of-the-Art Provenance-Based Intrusion Detection Systems](https://tfjmp.org/publications/2025-usenixsec-2.pdf)
-- **Orthrus** (USENIX Sec'25): [ORTHRUS: Achieving High Quality of Attribution in Provenance-based Intrusion Detection Systems](https://www.usenix.org/system/files/conference/usenixsecurity25/sec25cycle1-prepub-103-jiang-baoxiang.pdf)
-- **R-Caid** (IEEE S\&P'24): [R-CAID: Embedding Root Cause Analysis within Provenance-based Intrusion Detection](https://gangw.web.illinois.edu/rcaid-sp24.pdf)
-- **Flash** (IEEE S\&P'24): [Flash: A Comprehensive Approach to Intrusion Detection via Provenance Graph Representation Learning](https://dartlab.org/assets/pdf/flash.pdf)
-- **Kairos** (IEEE S\&P'24): [Kairos: Practical Intrusion Detection and Investigation using Whole-system Provenance](https://arxiv.org/pdf/2308.05034)
-- **Magic** (USENIX Sec'24): [MAGIC: Detecting Advanced Persistent Threats via Masked Graph Representation Learning](https://www.usenix.org/system/files/usenixsecurity24-jia-zian.pdf)
-- **NodLink** (NDSS'24): [NODLINK: An Online System for Fine-Grained APT Attack Detection and Investigation](https://arxiv.org/pdf/2311.02331)
-- **ThreaTrace** (IEEE TIFS'22): [THREATRACE: Detecting and Tracing Host-Based Threats in Node Level Through Provenance Graph Learning](https://arxiv.org/pdf/2111.04333)
+### Supported Systems
+
+The framework currently integrates the following PIDSs.
+
+| PIDS       | Venue               | Paper |
+|------------|---------------------|-------|
+| Velox      | USENIX Security 2025 | [Link](https://tfjmp.org/publications/2025-usenixsec-2.pdf) |
+| Orthrus    | USENIX Security 2025 | [Link](https://www.usenix.org/system/files/conference/usenixsecurity25/sec25cycle1-prepub-103-jiang-baoxiang.pdf) |
+| R-Caid     | IEEE S&P 2024        | [Link](https://gangw.web.illinois.edu/rcaid-sp24.pdf) |
+| Flash      | IEEE S&P 2024        | [Link](https://dartlab.org/assets/pdf/flash.pdf) |
+| Kairos     | IEEE S&P 2024        | [Link](https://arxiv.org/pdf/2308.05034) |
+| Magic      | USENIX Security 2024 | [Link](https://www.usenix.org/system/files/usenixsecurity24-jia-zian.pdf) |
+| NodLink    | NDSS 2024           | [Link](https://arxiv.org/pdf/2311.02331) |
+| ThreaTrace | IEEE TIFS 2022      | [Link](https://arxiv.org/pdf/2111.04333) |
+
+### Supported Datasets
+
+It also includes several easy-to-install provenance datasets for APT detection.
+
+| Dataset | OS | Attacks | Size (GB) |
+|---------|------|---------|-----------|
+| CADETS_E3 | FreeBSD | 3 | 10 |
+| THEIA_E3 | Linux | 2 | 12 |
+| CLEARSCOPE_E3 | Linux | 1 | 4.8 |
+| FIVEDIRECTIONS_E3 | Linux | 2 | 22 |
+| TRACE_E3 | Linux | 3 | 100 |
+| CADETS_E5 | FreeBSD | 2 | 276 |
+| THEIA_E5 | Linux | 1 | 36 |
+| CLEARSCOPE_E5 | Linux | 2 | 49 |
+| FIVEDIRECTIONS_E5 | Linux | 4 | 280 |
+| TRACE_E5 | Linux | 1 | 710 |
+| optc_h201 | Windows | 1 | 9 |
+| optc_h501 | Windows | 1 | 6.7 |
+| optc_h051 | Windows | 1 | 7.7 |
 
 ## 📄 Documentation
 
 A [comprehensive documentation](https://ubc-provenance.github.io/PIDSMaker/) is available, explaining all possible arguments and providing examples on how integrating new systems.
 
+### Pipeline
+
+The framework integrates a [pipeline](https://ubc-provenance.github.io/PIDSMaker/pipeline) composed of seven stages, each parameterizable via configurable arguments, enabling flexible customization of new systems.
+
+<img src="docs/docs/img/pipeline.svg" style="width: 100%"/>
+
 
 ## Setup
 
@@ -63,8 +88,8 @@ We have made the installation of PIDSMaker inclusing pre-processed databases for
 
 Once you have a followed the installation guidelines, you can open a shell in the `pids container` and experiment in multiple ways.
 
-- Replace `SYSTEM` by `velox | orthrus | nodlink | threatrace | kairos | rcaid | flash | magic`.
-- Replace `DATASET` by `CLEARSCOPE_E3 | CADETS_E3 | THEIA_E3 | CLEARSCOPE_E5 | THEIA_E5 | optc_h201 | optc_h501 | optc_h051`.
+- Replace `SYSTEM` by `velox`, `orthrus`, `nodlink`, `threatrace`, `kairos`, `rcaid`, `flash`, `magic`.
+- Replace `DATASET` by `CADETS_E3`, `THEIA_E3`, `CLEARSCOPE_E3`, `FIVEDIRECTIONS_E3`, `TRACE_E3`, `CADETS_E5`, `THEIA_E5`, `CLEARSCOPE_E5`, `FIVEDIRECTIONS_E5`, `TRACE_E5 `, `optc_h201`, `optc_h501`, or `optc_h051`.
 
 1. Run in the shell:
     ```shell
@@ -87,6 +112,17 @@ We generally using using W&B for experiment monitoring and historization (see in
 
 **Warning:** Before performing evaluations, you should tune all systems (see docs [here](https://ubc-provenance.github.io/PIDSMaker/features/tuning/)).
 
+## Reproducing results
+
+PIDSs exhibit significant instability—that is, high sensitivity to training perturbations—due to their self-supervised training nature. 
+Running the same configuration with different random seeds or minor hyperparameter changes often yields substantially different results. 
+Consequently, reproducing results as the framework evolves presents a real challenge.
+
+Based on our experiments, we provide [tuned hyperparameters](https://ubc-provenance.github.io/PIDSMaker/tuned_systems) for the main systems.
+However, we can't guarantee that these hyperparameters will lead to satisfactory results due to instability.
+
+We recommend [running each system multiple times](https://ubc-provenance.github.io/PIDSMaker/features/instability/) to increase the likelihood of obtaining a run with good metrics. Alternatively, you can perform [hyperparameter tuning](https://ubc-provenance.github.io/PIDSMaker/features/tuning/) for each system.
+
 ## Customize existing systems
 
 The default configuration files in `config/*.yml` represent the architecture of existing PIDSs in YAML format. They contain the original hyperparameters used by each system. 

.github/img/pidsmaker_title.png

@@ -1,19 +1,30 @@
-Tasks are steps composing the pipeline, starting from graph construction (`construction`) to detection (`evaluation`) or optionally triage (`tracing`).
-Each task takes as input the output from the previous task and write its output to the disk so that the next task can use it. This process enables "checkpointing" across the pipeline and avoids the duplication of compute. More information on tasks and the pipeline [here](../pipeline.md).
+Tasks are steps composing the pipeline, starting from graph construction (`construction`) to detection (`evaluation`) or optionally triage (`triage`).
+Each task takes as input the output from the previous task and writes its output to the disk so that the next task can use it. This process enables "checkpointing" across the pipeline and avoids the duplication of compute. More information on tasks and the pipeline [here](../pipeline.md).
 
-### Preprocessing
+### Stage 1: Construction
 
---8<-- "scripts/args/args_preprocessing.md"
+--8<-- "scripts/args/args_construction.md"
 
-### Featurization
+### Stage 2: Transformation
+
+--8<-- "scripts/args/args_transformation.md"
+
+### Stage 3: Featurization
 
 --8<-- "scripts/args/args_featurization.md"
 
-### Detection
+### Stage 4: Batching
 
---8<-- "scripts/args/args_detection.md"
+--8<-- "scripts/args/args_batching.md"
 
-### Triage
+### Stage 5: Training
 
---8<-- "scripts/args/args_triage.md"
+--8<-- "scripts/args/args_training.md"
+
+### Stage 6: Evaluation
 
+--8<-- "scripts/args/args_evaluation.md"
+
+### Stage 7: Triage
+
+--8<-- "scripts/args/args_triage.md"

README.md

@@ -1,4 +1,4 @@
-# Install a dataset from scratch
+# Installing a dataset from scratch
 
 PIDSMaker comes by default with pre-processed versions of DARPA datasets.
 If you want to install them from scratch using the official public files, follow this guide.

docs/docs/assets/logo.ico

@@ -0,0 +1,166 @@
+# Datasets
+
+PIDSMaker supports several public datasets commonly used in APT detection research. This page describes each dataset and its attack scenarios.
+
+## Overview
+
+| Dataset | OS | Attacks | Size (GB) |
+|---------|------|---------|-----------|
+| CADETS_E3 | FreeBSD | 3 | 10 |
+| THEIA_E3 | Linux | 2 | 12 |
+| CLEARSCOPE_E3 | Linux | 1 | 4.8 |
+| FIVEDIRECTIONS_E3 | Linux | 2 | 22 |
+| TRACE_E3 | Linux | 3 | 100 |
+| CADETS_E5 | FreeBSD | 2 | 276 |
+| THEIA_E5 | Linux | 1 | 36 |
+| CLEARSCOPE_E5 | Linux | 2 | 49 |
+| FIVEDIRECTIONS_E5 | Linux | 4 | 280 |
+| TRACE_E5 | Linux | 1 | 710 |
+| optc_h201 | Windows | 1 | 9 |
+| optc_h501 | Windows | 1 | 6.7 |
+| optc_h051 | Windows | 1 | 7.7 |
+
+
+
+## DARPA TC
+
+The DARPA Transparent Computing program produced benchmark datasets for evaluating provenance-based security systems.
+
+### [Engagement 3 (E3) - April 2018](https://github.com/darpa-i2o/Transparent-Computing/blob/master/README-E3.md)
+
+
+#### CADETS_E3
+
+FreeBSD host with Nginx server exploitation.
+
+| Attack id | Duration | Description |
+|---|----------|-------------|
+| 0 | 49 min | Nginx exploited to deploy Drakon loader with root escalation. Netrecon executed after C2 connection, followed by failed `libdrakon` injection into `sshd`. Host crashed with kernel panic. |
+| 1 | 40 min | Nginx re-exploited to deploy Drakon and MicroAPT implants under random names (`tmux`, `minions`, `sendmail`). Privilege escalation failed; MicroAPT ran unprivileged for port scanning. |
+| 2 | 13 min | Nginx re-exploited to deploy new Drakon implant with root privileges. Multiple failed `sshd` injection attempts using renamed `libdrakon` copies. |
+
+```shell
+python pidsmaker/main.py SYSTEM CADETS_E3
+```
+
+#### THEIA_E3
+
+Ubuntu host with Firefox exploitation.
+
+| Attack id | Duration | Description |
+|---|----------|-------------|
+| 0 | 50 min | Malicious Firefox extension dropped Drakon implant. MicroAPT staged under `/var/log/mail`, connected to C2 for control and network scanning. |
+| 1 | 30 min | Firefox exploited to drop Drakon implant as `/home/admin/clean` with root privileges, then copied as `profile`. Both connected to C2 server. |
+
+```shell
+python pidsmaker/main.py SYSTEM THEIA_E3
+```
+
+#### CLEARSCOPE_E3
+
+Android device with Firefox exploitation.
+
+| Attack id | Duration | Description |
+|---|----------|-------------|
+| 0 | 54 min | Firefox exploited via malicious website. Drakon implant installed and elevated, but module loading failed. Persistent C2 connection maintained. |
+
+```shell
+python pidsmaker/main.py SYSTEM CLEARSCOPE_E3
+```
+
+### [Engagement 5 (E5) - May 2019](https://github.com/darpa-i2o/Transparent-Computing)
+
+#### THEIA_E5
+
+Ubuntu host with Firefox exploitation.
+
+| Attack id | Duration | Description |
+|---|----------|-------------|
+| 0 | 19 min | Firefox exploited via malicious website. Root gained with BinFmt-Elevate, Drakon shellcode injected into `sshd`, persistence file created, C2 access maintained. |
+
+```shell
+python pidsmaker/main.py SYSTEM THEIA_E5
+```
+
+#### CLEARSCOPE_E5
+
+Android device with APK-based attacks.
+
+| Attack id | Duration | Description |
+|---|----------|-------------|
+| 0 | 41 min | Malicious `appstarter` APK loaded MicroAPT. Elevate driver installed for privilege escalation. Sensitive databases exfiltrated (calllog, calendar, SMS) and screenshot captured. |
+| 1 | 8 min | MicroAPT deployed directly via adb shell after APK dropper failed. Privilege escalation via BinFmt Elevate driver, then file exfiltration. |
+
+```shell
+python pidsmaker/main.py SYSTEM CLEARSCOPE_E5
+```
+
+## [DARPA OpTC](https://github.com/FiveDirections/OpTC-data)
+
+Windows enterprise environment with realistic APT scenarios.
+
+### optc_h201
+
+| Attack id | Duration | Description |
+|---|----------|-------------|
+| 0 | 1h58 | PowerShell Empire stager executed with elevated access. Mimikatz used for credential theft, registry persistence set, recon performed, then pivoted to other hosts via WMI. |
+
+```shell
+python pidsmaker/main.py SYSTEM optc_h201
+```
+
+### optc_h501
+
+| Attack id | Duration | Description |
+|---|----------|-------------|
+| 0 | 5h01 | Phishing email launched PowerShell Empire stager. Escalated via DeathStar, WMI persistence established, RDP tunneling and file exfiltration performed, then pivoted to other hosts. |
+
+```shell
+python pidsmaker/main.py SYSTEM optc_h501
+```
+
+### optc_h051
+
+| Attack id | Duration | Description |
+|---|----------|-------------|
+| 0 | 3h56 | Malicious Notepad++ update installed Meterpreter. Escalated to SYSTEM, migrated into LSASS for Mimikatz credential theft, established persistence, timestomped files, added admin account for RDP. |
+
+```shell
+python pidsmaker/main.py SYSTEM optc_h051
+```
+
+!!! note
+    TODO: add descriptions for CADETS_E5, FIVED and TRACE datasets.
+
+## Data structure
+
+### Graph partitioning
+
+Each dataset is partitioned into daily graphs, split into:
+
+- **Train graphs**: Normal activity for model training
+- **Validation graphs**: Normal activity for threshold calibration
+- **Test graphs**: Contains both normal activity and attacks
+
+## Adding custom datasets
+
+To add a new dataset, define its configuration in `pidsmaker/config/config.py`:
+
+```python
+DATASET_DEFAULT_CONFIG = {
+    "MY_DATASET": {
+        "database": "my_database_name",
+        "num_node_types": 3,
+        "num_edge_types": 10,
+        "train_files": ["graph_1", "graph_2", "graph_3"],
+        "val_files": ["graph_4"],
+        "test_files": ["graph_5", "graph_6"],
+        "ground_truth_relative_path": ["MY_DATASET/labels.csv"],
+        "attack_to_time_window": [
+            ["MY_DATASET/labels.csv", "2024-01-05 10:00:00", "2024-01-05 12:00:00"],
+        ],
+    },
+}
+```
+
+Then follow the [database creation guide](create-db-from-scratch.md) to load your data.