Papers
Topics
Authors
Recent
Search
2000 character limit reached

MirGuard: Robust Provenance Intrusion Detection

Updated 8 July 2026
  • MirGuard is a provenance-based intrusion detection system that enhances anomaly detection by utilizing domain-specific graph augmentations and contrastive learning for robust representations.
  • It combines logic-aware noise injection with multi-view augmentation to preserve provenance semantics and mitigate adversarial graph manipulation.
  • The system employs a lightweight KMeans clustering approach for efficient anomaly scoring, achieving near state-of-the-art performance under various attack scenarios.

Searching arXiv for the exact MirGuard paper and closely named systems for disambiguation. MirGuard is a provenance-based intrusion detection system (PIDS) designed to improve robustness against graph manipulation attacks in learning-based provenance analysis. It targets a specific failure mode of graph-based anomaly detectors: an adversary can manipulate graph structure or features so that malicious behavior is embedded in the representation space as if it were benign. MirGuard addresses this by combining logic-aware multi-view augmentation, contrastive representation learning, and a lightweight KMeans-based anomaly detector, with the stated goal of preserving detection performance and efficiency while improving robustness under adversarial graph perturbations (Sang et al., 14 Aug 2025).

1. Definition and scope

MirGuard is introduced in "MirGuard: Towards a Robust Provenance-based Intrusion Detection System Against Graph Manipulation Attacks" (Sang et al., 14 Aug 2025). In this formulation, provenance graphs encode causal relations among system entities and events, including processes, files, and network objects, with typed edges such as read/write, fork/clone, and connect/send/recv. Learning-based PIDSes such as Threatrace, MAGIC, and FLASH use graph embeddings or GNNs to detect anomalies, but the paper argues that they are vulnerable to mimicry and graph manipulation attacks because their representations are highly sensitive to local neighborhood structure (Sang et al., 14 Aug 2025).

The threat model distinguishes two attack phases. In data pollution attacks at detection time, the attacker manipulates the victim graph after training so that malicious activity is misclassified. In data poisoning attacks at training time, the attacker injects perturbed samples into the training data so that the learned model becomes less discriminative. In both cases, the underlying mechanism is the same: small but strategic graph edits can move malicious nodes or subgraphs toward benign regions of the latent space (Sang et al., 14 Aug 2025).

A recurrent point of confusion is nomenclature. MirGuard, in this sense, is a robustness-oriented PIDS for provenance graphs and is distinct from similarly named systems such as MergeGuard for unauthorized model merging (Chen et al., 14 Nov 2025), MirrorGuard for computer-use agent reasoning correction (Zhang et al., 19 Jan 2026), MindGuard for MCP tool poisoning (Wang et al., 28 Aug 2025), Mirage for DDoS defense (Mittal et al., 2011), and MIRAGE for web-agent visual prompt injection (Dai et al., 16 Jun 2026). This disambiguation matters because the technical problem, data modality, and threat model are entirely different across these works.

2. Adversarial setting in provenance graphs

The paper frames provenance PIDS vulnerability as a consequence of treating graph structure as a faithful reflection of behavior. Attackers can exploit this assumption by adding edges between malicious and benign nodes, changing features of malicious nodes to match benign distributions, or injecting benign subgraphs into attack subgraphs to camouflage causal structure (Sang et al., 14 Aug 2025).

This attack surface is particularly acute in provenance analysis because many graph learners derive their embeddings from topology and local neighborhoods. If malicious behavior is surrounded by benign-looking connections, the embedding can shift into a benign cluster. A plausible implication is that robustness requires not only better anomaly scoring but also a representation learner that is less sensitive to superficial structural edits and more sensitive to higher-level causal semantics.

The paper explicitly argues that prior defenses are limited because they either rely on generic adversarial training, which is difficult when malicious labeled samples are scarce, or on random augmentation and reconstruction objectives that do not respect provenance semantics (Sang et al., 14 Aug 2025). MirGuard therefore emphasizes semantically valid perturbations rather than arbitrary graph corruption.

3. Architecture and learning pipeline

MirGuard consists of three stages: Graph Builder, Graph Representation, and Anomaly Detection (Sang et al., 14 Aug 2025). The Graph Builder streams audit logs and constructs provenance graphs, using reduction and compression to remove redundant or irrelevant data. The Graph Representation stage one-hot encodes node and edge types, applies a GNN encoder, generates multiple logic-preserving augmented views of each graph, and learns embeddings through contrastive learning. The Anomaly Detection stage uses KMeans in embedding space, learning cluster centroids and mean centroid distance from benign training data and scoring test samples by distance to the nearest centroid (Sang et al., 14 Aug 2025).

The graph input is built from tuples of the form

(src,dst,timestamp,edge type),(\text{src}, \text{dst}, \text{timestamp}, \text{edge type}),

where src is typically a process and dst can be a file or network object. To reduce overhead, the system applies Causal Persistent Reduction (CPR) to keep only one instance of repeated edges between the same nodes in a short time window, removes orphaned and faulty nodes, and uses batch-based graph construction for scalability (Sang et al., 14 Aug 2025).

For representation learning, node and edge types are first encoded with one-hot vectors. The paper gives the generic GNN update as

hv(l+1)=σ(W(l)AGG({hu(l)uN(v)})+b(l)),h_v^{(l+1)} = \sigma \left( W^{(l)} \cdot \text{AGG}\left(\{h_u^{(l)} \mid u \in \mathcal{N}(v)\}\right) + b^{(l)} \right),

where hv(l)h_v^{(l)} is node vv's representation at layer ll, N(v)\mathcal{N}(v) is the neighborhood of vv, AGG\text{AGG} is an aggregation function, and W(l)W^{(l)}, b(l)b^{(l)} are learnable parameters. In the reported implementation, the encoder is a 2-layer GAT with latent dimension hv(l+1)=σ(W(l)AGG({hu(l)uN(v)})+b(l)),h_v^{(l+1)} = \sigma \left( W^{(l)} \cdot \text{AGG}\left(\{h_u^{(l)} \mid u \in \mathcal{N}(v)\}\right) + b^{(l)} \right),0 on DARPA TC (Sang et al., 14 Aug 2025).

4. Logic-Aware Noise Injection and logic-preserving contrastive learning

The central technical novelty is Logic-Aware Noise Injection (LNI), a graph augmentation strategy tailored to provenance graphs. Its purpose is to generate perturbed views that remain semantically valid under provenance causality rules. The paper defines three augmentation types: Edge Augmentation (EA), Node Augmentation (NA), and Feature Augmentation (FA), controlled by an augmentation ratio hv(l+1)=σ(W(l)AGG({hu(l)uN(v)})+b(l)),h_v^{(l+1)} = \sigma \left( W^{(l)} \cdot \text{AGG}\left(\{h_u^{(l)} \mid u \in \mathcal{N}(v)\}\right) + b^{(l)} \right),1, with the best reported value around hv(l+1)=σ(W(l)AGG({hu(l)uN(v)})+b(l)),h_v^{(l+1)} = \sigma \left( W^{(l)} \cdot \text{AGG}\left(\{h_u^{(l)} \mid u \in \mathcal{N}(v)\}\right) + b^{(l)} \right),2 (Sang et al., 14 Aug 2025).

Edge augmentation adds or removes edges,

hv(l+1)=σ(W(l)AGG({hu(l)uN(v)})+b(l)),h_v^{(l+1)} = \sigma \left( W^{(l)} \cdot \text{AGG}\left(\{h_u^{(l)} \mid u \in \mathcal{N}(v)\}\right) + b^{(l)} \right),3

but only if the resulting graph respects provenance logic. The paper specifies allowed source-destination pairs such as Process hv(l+1)=σ(W(l)AGG({hu(l)uN(v)})+b(l)),h_v^{(l+1)} = \sigma \left( W^{(l)} \cdot \text{AGG}\left(\{h_u^{(l)} \mid u \in \mathcal{N}(v)\}\right) + b^{(l)} \right),4 File, Process hv(l+1)=σ(W(l)AGG({hu(l)uN(v)})+b(l)),h_v^{(l+1)} = \sigma \left( W^{(l)} \cdot \text{AGG}\left(\{h_u^{(l)} \mid u \in \mathcal{N}(v)\}\right) + b^{(l)} \right),5 Network, File hv(l+1)=σ(W(l)AGG({hu(l)uN(v)})+b(l)),h_v^{(l+1)} = \sigma \left( W^{(l)} \cdot \text{AGG}\left(\{h_u^{(l)} \mid u \in \mathcal{N}(v)\}\right) + b^{(l)} \right),6 Process, and Process hv(l+1)=σ(W(l)AGG({hu(l)uN(v)})+b(l)),h_v^{(l+1)} = \sigma \left( W^{(l)} \cdot \text{AGG}\left(\{h_u^{(l)} \mid u \in \mathcal{N}(v)\}\right) + b^{(l)} \right),7 Process, while disallowing Network hv(l+1)=σ(W(l)AGG({hu(l)uN(v)})+b(l)),h_v^{(l+1)} = \sigma \left( W^{(l)} \cdot \text{AGG}\left(\{h_u^{(l)} \mid u \in \mathcal{N}(v)\}\right) + b^{(l)} \right),8 Process, File hv(l+1)=σ(W(l)AGG({hu(l)uN(v)})+b(l)),h_v^{(l+1)} = \sigma \left( W^{(l)} \cdot \text{AGG}\left(\{h_u^{(l)} \mid u \in \mathcal{N}(v)\}\right) + b^{(l)} \right),9 Network, Network hv(l)h_v^{(l)}0 File, and Network hv(l)h_v^{(l)}1 Network (Sang et al., 14 Aug 2025). The intent is to ensure that augmentation does not produce semantically meaningless provenance structures.

Node augmentation adds or removes nodes while preserving valid attachment semantics: hv(l)h_v^{(l)}2 Feature augmentation changes node attributes while preserving type consistency: hv(l)h_v^{(l)}3 This means the feature vector of a node is replaced by that of another node of the same type, simulating adversarial feature perturbation without breaking semantic plausibility (Sang et al., 14 Aug 2025).

These augmented views are used in a logic-preserving contrastive learning framework. Two logic-preserving views of the same provenance graph form a positive pair, while views from different graphs are negatives. If hv(l)h_v^{(l)}4 is the graph embedding, MirGuard applies a two-layer projection head,

hv(l)h_v^{(l)}5

and optimizes an InfoNCE-style loss

hv(l)h_v^{(l)}6

The stated objective is to make representations invariant to benign logical perturbations while remaining discriminative across different behaviors (Sang et al., 14 Aug 2025). This suggests that MirGuard is best understood as learning robustness through domain-valid invariances rather than through generic adversarial smoothing.

5. Anomaly scoring and deployment characteristics

After representation learning, MirGuard performs unsupervised anomaly detection using KMeans. The paper reports that KMeans outperformed LOF, One-Class SVM, and Isolation Forest in both accuracy and efficiency (Sang et al., 14 Aug 2025). Given learned cluster centroids hv(l)h_v^{(l)}7, the anomaly score for a test embedding hv(l)h_v^{(l)}8 is

hv(l)h_v^{(l)}9

To normalize across datasets, the score is divided by the average nearest-centroid distance on training data,

vv0

and a sample is declared anomalous if

vv1

The paper characterizes this centroid-based detector as simple, efficient, and more scalable than KNN-based scoring used in some prior work (Sang et al., 14 Aug 2025).

The experimental implementation uses NetworkX for graph construction, PyTorch and DGL for learning, and log preprocessing transformers from MAGIC. Reported hyperparameters include learning rate vv2, batch size vv3, latent dimension vv4, and augmentation ratio vv5 (Sang et al., 14 Aug 2025). This design indicates that the novelty lies primarily in the augmentation and representation-learning strategy rather than in a specialized downstream detector.

6. Empirical results, robustness profile, and limitations

MirGuard is evaluated on five provenance datasets: DARPA TC E3, with subsets Theia, Cadets, and Trace; Streamspot; and Unicorn Wget (Sang et al., 14 Aug 2025). The attack evaluation covers five graph manipulation attacks: GSPA, GFPA, and CGPA as detection-phase data pollution attacks, and SPA and FPA as training-phase data poisoning attacks, with attack rates of 10%, 20%, and 50% (Sang et al., 14 Aug 2025).

In the clean setting, the reported performance is near state of the art. On Theia, Precision, F1, and Recall are all 0.99 with FPR 0.03%; on Cadets, Precision 0.98, F1 0.99, Recall 0.99, FPR vv6; on Trace, Precision 0.99, F1 0.99, Recall 0.99, FPR vv7; on Streamspot, Precision 0.99, F1 0.99, Recall 1.00, FPR 0.6%; and on Wget, Precision 0.98, F1 0.96, Recall 0.96, FPR 0.6% (Sang et al., 14 Aug 2025). The paper uses these results to argue that robustness does not come at the cost of ordinary detection performance.

Under graph manipulation, the paper reports substantial gains over Threatrace, MAGIC, and FLASH. On GSPA-50%, MirGuard achieves F1 0.887 and AUC 0.972, compared with Threatrace 0.489, MAGIC 0.533, and FLASH 0.657 in F1. On CGPA-50%, MirGuard reaches F1 0.872 and AUC 0.975. On SPA-50%, it reaches F1 0.899 and AUC 0.962. On FPA-50%, it reaches F1 0.951 and AUC 0.981 (Sang et al., 14 Aug 2025). The paper summarizes its robustness as maintaining an average F1 over 96% with less than 10% AUC drop under graph manipulation attacks (Sang et al., 14 Aug 2025).

The ablation study attributes this robustness to all major design choices. Replacing the graph contrastive learning module with GraphSAGE, DGI, or MGAE reduces both performance and robustness, especially under CGPA. Different augmentation combinations exhibit different strengths: NA is particularly helpful for GSPA, NA + FA works well for GFPA, and NA + EA + FA is the most stable across attacks, although over-perturbation can hurt. Performance improves and then degrades as vv8 increases, with the recommended value vv9 (Sang et al., 14 Aug 2025).

The efficiency measurements reinforce the deployment argument. Reported training overhead is 214 s and 1525 MB for MirGuard, compared with 151 s and 1564 MB for MAGIC, 2780 s and 1031 MB for Threatrace, and 4580 s and 760 MB for FLASH. Reported inference overhead is 437 s and 1532 MB for MirGuard, compared with 1037 s and 1667 MB for MAGIC, 1380 s and 2301 MB for Threatrace, and 4304 s and 1097 MB for FLASH (Sang et al., 14 Aug 2025). The paper attributes the best inference time among compared systems to the lightweight centroid-based detector.

The limitations are largely methodological and domain-specific. The approach assumes that the auditing and provenance collection infrastructure is trusted; hardware trojans and side-channel attacks are out of scope. LNI relies on hand-crafted provenance logic rules, so the method is domain-specific rather than fully general. The paper also notes that very high attack rates may be difficult for real attackers to execute stealthily, and that the final anomaly decision still depends on embedding geometry and thresholding, making performance contingent on the quality of learned representations (Sang et al., 14 Aug 2025).

7. Position within the broader literature

MirGuard’s main contribution is not merely the use of contrastive learning, but the use of domain-validated augmentations that preserve provenance semantics while exposing the model to realistic structural noise (Sang et al., 14 Aug 2025). Within provenance-based intrusion detection, this places it in contrast to graph-learning systems that optimize primarily for nominal accuracy and therefore remain brittle under manipulation. The paper’s interpretive claim is that benign transformations should not change the embedding much, whereas adversarial manipulations that break provenance logic should produce detectable inconsistencies (Sang et al., 14 Aug 2025).

This positions MirGuard as a robustness-oriented refinement of learning-based PIDS rather than a replacement for provenance analysis itself. A plausible implication is that its broader significance lies in formalizing a principle that may generalize beyond provenance graphs: robustness in structured security domains may depend on augmentation policies that encode domain semantics explicitly, rather than on arbitrary perturbation or generic adversarial training.

In that sense, MirGuard is best understood as a targeted response to adversarial graph manipulation in host-system provenance analysis. Its combination of Logic-Aware Noise Injection, logic-preserving contrastive learning, and KMeans anomaly scoring defines a specific design pattern for making provenance embeddings stable under benign variation yet resistant to mimicry and camouflage attacks (Sang et al., 14 Aug 2025).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to MirGuard.