Abstract
Advanced Persistent Threats (APTs) are the most sophisticated attacks for modern information systems. Currently, more and more researchers begin to focus on graph-based anomaly detection methods that leverage graph data to model normal behaviors and detect outliers for defending against APTs. However, previous studies of provenance graphs mainly concentrate on system calls, leading to difficulties in modeling network behaviors. Coarse-grained correlation graphs depend on handcrafted graph construction rules and, thus, cannot adequately explore log node attributes. Besides, the traditional Graph Neural Networks (GNNs) fail to consider meaningful edge features and are difficult to perform heterogeneous graphs embedding. To overcome the limitations of the existing approaches, we present a hierarchical approach for APT detection with novel attention-based GNNs. We propose a metapath aggregated GNN for provenance graph embedding and an edge enhanced GNN for host interactive graph embedding; thus, APT behaviors can be captured at both the system and network levels. A novel enhancement mechanism is also introduced to dynamically update the detection model in the hierarchical detection framework. Evaluations show that the proposed method outperforms the state-of-the-art baselines in APT detection.
Highlights
Advanced Persistent reats (APTs) are becoming increasingly prominent in modern networks [1, 2]
We encode the heterogeneous Intrahost Provenance Graph (IPG) using the metapath aggregated Graph Neural Networks (GNNs) with the attention mechanism, which enables the full exploration of semantic information using metapaths tailored to the IPG. ird, for the Interactive Graph (IIG), the interaction edges among hosts contain meaningful information; we propose the edge feature-enhanced GNN to adequately exploit the multidimensional edge features
The IPG detector has gained more than 25% improvement compared with the StreamSpot and more than 10% improvement compared with the UNICORN and Graph Attention Network (GAT)
Summary
Advanced Persistent reats (APTs) are becoming increasingly prominent in modern networks [1, 2]. Anomaly-based detectors [8,9,10,11,12,13] are capable of identifying unforeseen activities that do not conform to the learned normal patterns They are susceptible to be circumvented by attackers because they typically treat system calls or network events as temporal sequences [8, 9, 11], which only carry the sequential relationships among log entries. As such, they cannot achieve satisfactory performance in detecting APTs [1]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
