Detecting abnormal logins by discovering anomalous links via graph transformers

Abstract

Anomalous authentications are a critical indicator of advanced persistent threats (APTs), in which adversaries exploit network vulnerabilities to gain unauthorized access and move stealthily between devices using stolen credentials. As the set of interactions between entities in a network essentially forms graph-structured data, state-of-the-art algorithms such as graph neural networks (GNNs) can be used to detect anomalous interactions that may indicate an ongoing attack. However, the success of detecting anomalous authentications using GNNs is conditioned on the representational power and performance of those models. A crucial problem is how to aggregate the node embeddings so that the GNN can better represent the network topology. Existing graph neural networks traditionally use simple functions (e.g., sum, max, mean) on the node embeddings to preserve permutation invariance and achieve consistent node representations. However, we argue that an effective aggregation of node features into a graph-level representation cannot be achieved through simple sum or mean operations. In this work, we propose a residual soft-attention scheme that facilitates the aggregation of node representations through a weighted sum, resulting in enhanced node representations and improved filtration of irrelevant information. Experimental results on three relevant datasets have shown the proposed method can detect abnormal authentications with lower false positives than competitors.