Skip to content

PIDSMaker

The first framework designed to build and experiment with provenance-based intrusion detection systems (PIDSs) using deep learning architectures. It provides a single codebase to run most recent state-of-the-art systems and easily customize them to develop new variants.

Purpose

🥷 PIDSMaker is an open-source framework designed to be collaboratively developed and maintained by the security research community. It was born out of the observation that recent papers in top-tier security venues often evaluate on the same datasets but differ in labeling strategies and in the implementation of baseline methods.

Until now, no standardized open-source framework has existed to facilitate fair comparisons. PIDSMaker addresses this gap by providing the following key features:

  1. Consistent evaluation and benchmarking of SOTA baselines using unified datasets, labeling strategies, and reference implementations.
  2. A modular testbed of existing components extracted from published systems, enabling experimentation and the discovery of improved variants.
  3. A centralized repository where authors can contribute and share code for new systems, ensuring fair and reproducible benchmarking.

Supported PIDSs

Citing the Framework

If you use this framework, please cite the following paper: 

@inproceedings{bilot2025simpler,
    title={{Sometimes Simpler is Better: A Comprehensive Analysis of State-of-the-Art Provenance-Based Intrusion Detection Systems}},
    author={Bilot, Tristan and Jiang, Baoxiang and  Li, Zefeng and  El Madhoun, Nour and Al Agha, Khaldoun and Zouaoui, Anis and Pasquier, Thomas},
    booktitle={Security Symposium (USENIX Sec'25)},
    year={2025},
    organization={USENIX}
}