Teng Li,Ximeng Liu,Wei Qiao,Xiongjie Zhu,Yulong Shen,Jianfeng Ma

DOI: https://doi.org/10.1109/tdsc.2023.3273918

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Advanced Persistent Threats (APTs) employ sophisticated and covert tactics to infiltrate target systems, leading to increased vulnerability and an elevated risk of exposure. Consequently, it is essential for us to proactively create an extensive and clearly outlined attack chain for APTs in order to effectively combat these threats. Unlike traditional malware or application threats, APTs can sidestep cyber security efforts and cause severe damage to organizations or even state security. Nonetheless, earlier methods struggle to accurately track APTs and may face a dependency explosion issue, as identifying the intricate and complex unknown malicious activities within APTs proves to be challenging. In this paper, we propose and build an approach, T-trace, which constructs the events provenance graphs by analyzing the correlations among logs. The approach precisely finds the log communities with tensor decomposition and calculates significance scores to extract the events. The APTs can be inferred by discovering the event communities and constructing the provenance graph with log correlation. In the experiment, we used DARPA data sets and launched four current practical APTs. Compared with current approaches, the results show that T-trace can efficiently reduce time cost by 90% and achieve a 92% accuracy rate in constructing the provenance graph, which can be practically applied in APTs provenance.

Han Liu,Yuntao Wang,Zhou Su,Zixuan Wang,Yanghe Pan,Ruidong Li

DOI: https://doi.org/10.1109/icc51166.2024.10623080

2024-01-01

Abstract:Provenance graph-based auditing offers a promising direction for APT (Advanced Persistent Threat) detection with traceability guarantees. However, most of the existing methods are based on host-level causality analysis, which is ineffective in practical APT scenarios when well-organized adversaries exploit lateral movement attacks (e.g., multi-level proxies) across multiple compromised hosts. To bridge the research gap, this paper proposes a collaborative APT detection and tracing frame-work (TRACEGADGET) based on federal provenance graphs. TRACEGADGET can efficiently reveal the whole trace of APT lateral movements through the interactions between hosts in Intranet. Specifically, the proposed framework 1) characterizes the relevance weights of all events in the given provenance graph in comparison to the POI (Point of Interest) events, 2) identifies the network entries rankings of the POI events through backward trace analysis, 3) reveals the evolution of the alarm events and confirms the network exit of penetration chain through forward propagation, and 4) aligns the network entries and network exits to derive the complete path of the lateral movement attack. Finally, we construct a dataset consisting of 280,000 edges and more than 90,000 entities through ten sets of real APT attacks. We demonstrate the feasibility and effectiveness of the proposed framework in recovering APT attack links at the network level. Particularly, TRACEGADGET achieves 100% APT path reconstruction with high robustness in all the experiments.

Erteng Hu,Anmin Fu,Zhiyi Zhang,Linjie Zhang,Yantao Guo,Yin Liu

DOI: https://doi.org/10.1109/infocomwkshps51825.2021.9484532

2021-01-01

Abstract:The emerging advanced persistent threats (APT) have become a significant threat to enterprise network security. Carrying out the attack's causality analysis can help the cyber analyst understand the APT attack process and safely recover the system from the attack. How to quickly perform an efficient causality analysis and generate an attack dependency graph that is easy for analysts to understand has become a problem. In this paper, we propose ACTracker, a fast and efficient attack causality tracker. Firstly, the tracker generates a complete provenance graph based on threat alert and then calculates each provenance path's anomaly score based on the anomaly score of each event. ACTracker quickly constructs a dependency graph describing the causality of attacks by considering the anomaly degree of each provenance path in the provenance graph. We also design a novel statistical method of event frequency to adapt to different scales of corporate network environments and assign anomaly scores to each event based on the event's rarity in the current environment. We evaluate our system by simulating a variety of real-world attacks. The experimental results show that our solution can effectively track attack activities in a short time.

Su Wang,Zhiliang Wang,Tao Zhou,Xia Yin,Dongqi Han,Han Zhang,Hongbin Sun,Xingang Shi,Jiahai Yang

DOI: https://doi.org/10.48550/arXiv.2111.04333

2021-11-08

Abstract:Host-based threats such as Program Attack, Malware Implantation, and Advanced Persistent Threats (APT), are commonly adopted by modern attackers. Recent studies propose leveraging the rich contextual information in data provenance to detect threats in a host. Data provenance is a directed acyclic graph constructed from system audit data. Nodes in a provenance graph represent system entities (e.g., $processes$ and $files$) and edges represent system calls in the direction of information flow. However, previous studies, which extract features of the whole provenance graph, are not sensitive to the small number of threat-related entities and thus result in low performance when hunting stealthy threats. We present threaTrace, an anomaly-based detector that detects host-based threats at system entity level without prior knowledge of attack patterns. We tailor GraphSAGE, an inductive graph neural network, to learn every benign entity's role in a provenance graph. threaTrace is a real-time system, which is scalable of monitoring a long-term running host and capable of detecting host-based intrusion in their early phase. We evaluate threaTrace on three public datasets. The results show that threaTrace outperforms three state-of-the-art host intrusion detection systems.

Cryptography and Security,Machine Learning

Cheng Tan,Qian Wang,Lina Wang,Lei Zhao

DOI: https://doi.org/10.1109/mnet.2018.1700469

IF: 10.294

2018-01-01

IEEE Network

Abstract:With the increasing damage of APT attacks, the modern world has moved from individual hackers for fun to nation-wide cybercriminals for strategic advantage or profit. These APT attacks are often prolonged and have multiple stages, and they usually utilize zero-day or one-day exploits to be penetrating and stealthy. As a result, there is an urgent need to detect and investigate APT attacks. Among all kinds of security techniques, provenance tracing is regarded as a promising and important approach for attack investigation, as it discloses the root cause, the path, and the results of attacks. However, the existing techniques either suffer from the limitation of only focusing on the log type, or have non-trivial space and runtime overhead, which hinder their wide applications in practice. In this article, we provide a comprehensive survey of provenance tracing technologies in the most recent literature. Following the overview of each scheme, we present the key technical features of them and then compare the state-of-the-art solutions in terms of both security and performance. Finally, we propose and discuss several potential future research directions.

Jie Ying,Tiantian Zhu,Wenrui Cheng,Qixuan Yuan,Mingjun Ma,Chunlin Xiong,Tieming Chen,Mingqi Lv,Yan Chen

2024-05-04

Abstract:As the complexity and destructiveness of Advanced Persistent Threat (APT) increase, there is a growing tendency to identify a series of actions undertaken to achieve the attacker's target, called attack investigation. Currently, analysts construct the provenance graph to perform causality analysis on Point-Of-Interest (POI) event for capturing critical events (related to the attack). However, due to the vast size of the provenance graph and the rarity of critical events, existing attack investigation methods suffer from problems of high false positives, high overhead, and high latency. To this end, we propose SPARSE, an efficient and real-time system for constructing critical component graphs (i.e., consisting of critical events) from streaming logs. Our key observation is 1) Critical events exist in a suspicious semantic graph (SSG) composed of interaction flows between suspicious entities, and 2) Information flows that accomplish attacker's goal exist in the form of paths. Therefore, SPARSE uses a two-stage framework to implement attack investigation (i.e., constructing the SSG and performing path-level contextual analysis). First, SPARSE operates in a state-based mode where events are consumed as streams, allowing easy access to the SSG related to the POI event through semantic transfer rule and storage strategy. Then, SPARSE identifies all suspicious flow paths (SFPs) related to the POI event from the SSG, quantifies the influence of each path to filter irrelevant events. Our evaluation on a real large-scale attack dataset shows that SPARSE can generate a critical component graph (~ 113 edges) in 1.6 seconds, which is 2014 X smaller than the backtracking graph (~ 227,589 edges). SPARSE is 25 X more effective than other state-of-the-art techniques in filtering irrelevant edges.

Cryptography and Security

Yong Fang,Congshuang Wang,Zhiyang Fang,Cheng Huang

DOI: https://doi.org/10.1016/j.neucom.2021.12.026

IF: 6

2022-01-01

Neurocomputing

Abstract:Advanced Persistent Threats(APT) with the purpose of stealing confidential data take place all the time. In the APT life cycle, lateral movement is a critical stage towards high-level authority and confidential data. Existing lateral movement detection mainly concentrates on endpoint protection to distinguish compromised hosts. These approaches not only have unfortunate effect but also can not detect lateral movement behavior comprehensively. We design LMTracker, an attack path detection algorithm based on the heterogeneous graph, in order to make up for above shortcomings. LMTracker consists of three modules: heterogeneous graph construction, path representation generation, and unsupervised anomaly-based attack path detection. The core idea of LMTracker is to use event logs and traffic to establish heterogeneous graphs and generate representation vectors for lateral movement paths, then use unsupervised algorithm to implement anomaly-based path detection. This method can not only detect lateral movement paths effectively but also preserve the path relationships. Security professionals can use these paths to analyze attack activities. In two frequently-used public datasets, the evaluation results demonstrate that LMTracker performs significantly better than other methods and can adapt to attack detection in different scenarios. The area under the ROC curve is as high as 0.95.

Xiaoda Xie,Songlei Jian,Chenlin Huang

DOI: https://doi.org/10.1145/3605801.3605824

2023-01-01

Abstract:Abstract: The anomaly detection technique is increasingly applied in various security fields and the effectiveness and efficiency of anomaly detection models have become vitally important issues. Deep learning models are widely used to detect anomalies due to their flexibility and learning ability. However, in order to improve the performance of anomaly detection models, information used for model training and detecting is most significant. Previous methods involve the usage of system logs and traces, but mostly only focus on one single type of data source. And combining the logs and traces appropriately to retrieve comprehensive information for anomaly detection is still challenging. We propose LogTraceAD, a novel anomaly detection method that utilizes the logs and traces to generate a graph, and leverages a variational autoencoder-based graph representation learning model to complete feature learning. Then the feature data containing information from both types of data can be used for anomaly detection. We conduct the experiment on a publicly available dataset that contains 23,334 anomalies in 7,705,050 logs and 132,485 traces and compare the performance of the proposed method with several previous approaches. The result shows our method can achieve a 24% and 27% improvement respectively compared to methods using only logs or traces, and will not cause high overhead.

Zhaoli Liu,Tao Qin,Xiaohong Guan,Hezhi Jiang,Chenxu Wang

DOI: https://doi.org/10.1109/ACCESS.2018.2843336

IF: 3.9

2018-01-01

IEEE Access

Abstract:Logs are generated by systems to record the detailed runtime information about system operations, and log analysis plays an important role in anomaly detection at the host or network level. Most existing detection methods require a priori knowledge, which cannot be used to detect the new or unknown anomalies. Moreover, the growing volume of logs poses new challenges to anomaly detection. In this paper, we propose an integrated method using K-prototype clustering and k-NN classification algorithms, which uses a novel clustering-filtering-refinement framework to perform anomaly detection from massive logs. First, we analyze the characteristics of system logs and extract 10 features based on the session information to characterize user behaviors effectively. Second, based on these extracted features, the K-prototype clustering algorithm is applied to partition the data set into different clusters. Then, the obvious normal events which usually present as highly coherent clusters are filtered out, and the others are regarded as anomaly candidates for further analysis. Finally, we design two new distance-based features to measure the local and global anomaly degrees for these anomaly candidates. Based on these two new features, we apply the k-NN classifier to generate accurate detection results. To verify the integrated method, we constructed a log collection and anomaly detection platform in the campus network center of Xi'an Jiaotong University. The experimental results based on the data sets collected from the platform show our method has high detection accuracy and low computational complexity.

Le Yu,Shiqing Ma,Zhuo Zhang,Guanhong Tao,Xiangyu Zhang,Dongyan Xu,Vincent E. Urias,Han Wei Lin,Gabriela Ciocarlie,Vinod Yegneswaran,Ashish Gehani

DOI: https://doi.org/10.14722/ndss.2021.24445

2021-01-01

Abstract:Cyber-attacks are becoming more persistent and complex. Most state-of-the-art attack forensics techniques either require annotating and instrumenting software applications or rely on high quality execution profiling to serve as the basis for anomaly detection. We propose a novel attack forensics technique ALchemist. It is based on the observations that built-in application logs provide critical high-level semantics and audit logs provide low-level fine-grained information; and the two share a lot of common elements. ALchemist is hence a log fusion technique that couples application logs and audit logs to derive critical attack information invisible in either log. It is based on a relational reasoning engine Datalog and features the capabilities of inferring new relations such as the task structure of execution (e.g., tabs in firefox), especially in the presence of complex asynchronous execution models, and high-level dependencies between log events. Our evaluation on 15 popular applications including firefox, Chromium, and OpenOffice, and 14 APT attacks from the literature demonstrates that although ALchemist does not require instrumentation, it is highly effective in partitioning execution to autonomous tasks (in order to avoid bogus dependencies) and deriving precise attack provenance graphs, with very small overhead. It also outperforms NoDoze and OmegaLog, two state-of-the-art techniques that do not require instrumentation.

Cheng Tan,Lei Zhao,Weijie Liu,Lai Xu,Lina Wang

DOI: https://doi.org/10.1109/cc.2018.8300279

2018-01-01

China Communications

Abstract:APT attacks are prolonged and have multiple stages, and they usually utilize zero-day or one-day exploits to be penetrating and stealthy. Among all kinds of security techniques, provenance tracing is regarded as an important approach to attack investigation, as it discloses the root cause, the attacking path, and the results of attacks. However, existing techniques either suffer from the limitation of only focusing on the log type, or are highly susceptible to attacks, which hinder their applications in investigating APT attacks. We present CAPT, a context-aware provenance tracing system that leverages the advantages of virtualization technologies to transparently collect system events and network events out of the target machine, and processes them in the specific host which introduces no space cost to the target. CAPT utilizes the contexts of collected events to bridge the gap between them, and provides a panoramic view to the attack investigation. Our evaluation results show that CAPT achieves the effective provenance tracing to the attack cases, and it only produces 0.21 MB overhead in 8 hours. With our newly-developed technology, we keep the run-time overhead averages less than 4%.

Jiaping Gui,Ding Li,Zhengzhang Chen,Junghwan Rhee,Xusheng Xiao,Mu Zhang,Kangkook Jee,Zhichun Li,Haifeng Chen

DOI: https://doi.org/10.1109/ICDE48307.2020.00151

2020-01-01

Abstract:While backtracking analysis has been successful in assisting the investigation of complex security attacks, it faces a critical dependency explosion problem. To address this problem, security analysts currently need to tune backtracking analysis manually with different case-specific heuristics. However, existing systems fail to fulfill two important system requirements to achieve effective backtracking analysis. First, there need flexible abstractions to express various types of heuristics. Second, the system needs to be responsive in providing updates so that the progress of backtracking analysis can be frequently inspected, which typically involves multiple rounds of manual tuning. In this paper, we propose a novel system, APTrace, to meet both of the above requirements. As we demonstrate in the evaluation, security analysts can effectively express heuristics to reduce more than 99.5% of irrelevant events in the backtracking analysis of real-world attack cases. To improve the responsiveness of backtracking analysis, we present a novel execution-window partitioning algorithm that significantly reduces the waiting time between two consecutive updates (especially, 57 times reduction for the top 1% waiting time).

Weibin Meng,Ying Liu,Yichen Zhu,Shenglin Zhang,Dan Pei,Yuqing Liu,Yihao Chen,Ruizhi Zhang,Shimin Tao,Pei Sun,Rong Zhou

DOI: https://doi.org/10.24963/ijcai.2019/658

2019-08-01

Abstract:Recording runtime status via logs is common for almost every computer system, and detecting anomalies in logs is crucial for timely identifying malfunctions of systems. However, manually detecting anomalies for logs is time-consuming, error-prone, and infeasible. Existing automatic log anomaly detection approaches, using indexes rather than semantics of log templates, tend to cause false alarms. In this work, we propose LogAnomaly, a framework to model unstructured a log stream as a natural language sequence. Empowered by template2vec, a novel, simple yet effective method to extract the semantic information hidden in log templates, LogAnomaly can detect both sequential and quantitive log anomalies simultaneously, which were not done by any previous work. Moreover, LogAnomaly can avoid the false alarms caused by the newly appearing log templates between periodic model retrainings. Our evaluation on two public production log datasets show that LogAnomaly outperforms existing log-based anomaly detection methods.

Zhenyuan Li,Yangyang Wei,Xiangmin Shen,Lingzhi Wang,Yan Chen,Haitao Xu,Shouling Ji,Fan Zhang,Liang Hou,Wenmao Liu,Xuhong Zhang,Jianwei Ying

2024-07-10

Abstract:Recent research in both academia and industry has validated the effectiveness of provenance graph-based detection for advanced cyber attack detection and investigation. However, analyzing large-scale provenance graphs often results in substantial overhead. To improve performance, existing detection systems implement various optimization strategies. Yet, as several recent studies suggest, these strategies could lose necessary context information and be vulnerable to evasions. Designing a detection system that is efficient and robust against adversarial attacks is an open problem. We introduce Marlin, which approaches cyber attack detection through real-time provenance graph <a class="link-external link-http" href="http://alignment.By" rel="external noopener nofollow">this http URL</a> leveraging query graphs embedded with attack knowledge, Marlin can efficiently identify entities and events within provenance graphs, embedding targeted analysis and significantly narrowing the search space. Moreover, we incorporate our graph alignment algorithm into a tag propagation-based schema to eliminate the need for storing and reprocessing raw logs. This design significantly reduces in-memory storage requirements and minimizes data processing overhead. As a result, it enables real-time graph alignment while preserving essential context information, thereby enhancing the robustness of cyber attack detection. Moreover, Marlin allows analysts to customize attack query graphs flexibly to detect extended attacks and provide interpretable detection results. We conduct experimental evaluations on two large-scale public datasets containing 257.42 GB of logs and 12 query graphs of varying sizes, covering multiple attack techniques and scenarios. The results show that Marlin can process 137K events per second while accurately identifying 120 subgraphs with 31 confirmed attacks, along with only 1 false positive, demonstrating its efficiency and accuracy in handling massive data.

Cryptography and Security

Jian Mao,Qixiao Lin,Shishi Zhu,Liran Ma,Jianwei Liu

DOI: https://doi.org/10.1109/jiot.2023.3308089

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:As a typical application of the Internet of Things (IoT), smart home systems facilitate home setup where appliances and devices can be controlled automatically and remotely from anywhere with an Internet connection. Devices within a smart home system are usually correlated according to the automation rules/programs preconfigured by system owners. However, attackers can exploit these complex correlations among devices to conduct indirect attacks, making it challenging for owners to locate the root cause of a security incident and identify compromised devices. In this paper, we propose SMARTTRACER, an anomaly-driven provenance analysis approach based on inter-device correlation extraction and tracing. Specifically, we extract correlations from the smart home systems automation setup and physical interaction configuration. We define a unified dependency graph to describe the event causality among devices based on the event correlation and device run-time states. We then present an identification algorithm to profile trigger-action sequences from the abnormal run-time dependency graph and identify root cause nodes of anomalies. We prototype our approach and evaluate it on a self-developed testbed. The experiment results show that SMARTTRACER effectively provides a complete and precise provenance analysis for attacks exploited by the execution chains of automation. SMARTTRACER can generate a dependency graph for around 100 automation rules in 0.03 seconds and identify anomalies within 0.14 seconds.

Shaofei Li,Feng Dong,Xusheng Xiao,Haoyu Wang,Fei Shao,Jiedong Chen,Yao Guo,Xiangqun Chen,Ding Li

DOI: https://doi.org/10.14722/ndss.2024.23204

2023-11-04

Abstract:Advanced Persistent Threats (APT) attacks have plagued modern enterprises, causing significant financial losses. To counter these attacks, researchers propose techniques that capture the complex and stealthy scenarios of APT attacks by using provenance graphs to model system entities and their dependencies. Particularly, to accelerate attack detection and reduce financial losses, online provenance-based detection systems that detect and investigate APT attacks under the constraints of timeliness and limited resources are in dire need. Unfortunately, existing online systems usually sacrifice detection granularity to reduce computational complexity and produce provenance graphs with more than 100,000 nodes, posing challenges for security admins to interpret the detection results. In this paper, we design and implement NodLink, the first online detection system that maintains high detection accuracy without sacrificing detection granularity. Our insight is that the APT attack detection process in online provenance-based detection systems can be modeled as a Steiner Tree Problem (STP), which has efficient online approximation algorithms that recover concise attack-related provenance graphs with a theoretically bounded error. To utilize STP approximation algorithm frameworks for APT attack detection, we propose a novel design of in-memory cache, an efficient attack screening method, and a new STP approximation algorithm that is more efficient than the conventional one in APT attack detection while maintaining the same complexity. We evaluate NodLink in a production environment. The open-world experiment shows that NodLink outperforms two state-of-the-art (SOTA) online provenance analysis systems by achieving magnitudes higher detection and investigation accuracy while having the same or higher throughput.

Cryptography and Security

Jiawei Li,Ru Zhang,Jianyi Liu,Gongshen Liu

DOI: https://doi.org/10.48550/arXiv.2208.08820

2022-08-18

Abstract:Cyber threat hunting is a proactive search process for hidden threats in the organization's information system. It is a crucial component of active defense against advanced persistent threats (APTs). However, most of the current threat hunting methods rely on Cyber Threat Intelligence(CTI), which can find known attacks but cannot find unknown attacks that have not been disclosed by CTI. In this paper, we propose LogKernel, a threat hunting method based on graph kernel clustering which can effectively separates attack behaviour from benign activities. LogKernel first abstracts system audit logs into Behaviour Provenance Graphs (BPGs), and then clusters graphs by embedding them into a continuous space using a graph kernel. In particular, we design a new graph kernel clustering method based on the characteristics of BPGs, which can capture structure information and rich label information of the BPGs. To reduce false positives, LogKernel further quantifies the threat of abnormal behaviour. We evaluate LogKernel on the malicious dataset which includes seven simulated attack scenarios and the DAPRA CADETS dataset which includes four attack scenarios. The result shows that LogKernel can hunt all attack scenarios among them, and compared to the state-of-the-art methods, it can find unknown attacks.

Cryptography and Security

Yulai Xie,Dan Feng,Zhipeng Tan,Junzhe Zhou

DOI: https://doi.org/10.1016/j.future.2016.02.005

IF: 7.307

2016-01-01

Future Generation Computer Systems

Abstract:The existing host-based intrusion detection methods are mainly based on recording and analyzing the system calls of the invasion processes (such as exploring the sequences of system calls and their occurring probabilities). However, these methods are not efficient enough on the detection precision as they do not reveal the inherent intrusion events in detail (e.g., where are the system vulnerabilities and what causes the invasion are both not mentioned). On the other hand, though the log-based forensic analysis can enhance the understanding of how these invasion processes break into the system and what files are affected by them, it is a very cumbersome process to manually acquire information from logs which consist of the users' normal behavior and intruders' illegal behavior together.This paper proposes to use provenance, the history or lineage of an object that explicitly represents the dependency relationship between the damaged files and the intrusion processes, rather than the underlying system calls, to detect and analyze intrusions. Provenance more accurately reveals and records the data and control flow between files and processes, reducing the potential false alarm caused by system call sequences. Moreover, the warning report during intrusion call explicitly output system vulnerabilities and intrusion sources, and provide detection points for further provenance graph based forensic analysis. Experimental results show that this framework call identify the intrusion with high detection rate, lower false alarm rate, and smaller detection time overhead compared to traditional system call based method. In addition, it can analyze the system vulnerabilities and attack sources quickly and accurately. (C) 2016 Elsevier B.V. All rights reserved.

Shiyu Li,Baojiang Cui

DOI: https://doi.org/10.1007/978-3-030-50399-4_4

2020-01-01

Abstract:With the rapid development of the Internet, Web applications have been used more and more widely in various industries, and the accompanying security issues have gradually received attention. In the field of network security research, in addition to defense technologies such as intrusion detection and firewall technology, forensic analysis and traceability of network attacks are also the focus of research. Based on this, this paper is devoted to mining the associations of attack traces existing in web application logs, and to provide assistance for forensic analysis and attack source tracing. In this paper we propose a method for analyzing associations of network attack traces based on Web logs. We collect features of common Web attack methods and extracts attack traces. We also propose attack event description models based on key attributes, and improves the Apriori algorithm to adapt the model. The attack trace correlation analysis method proposed in this paper makes full use of and analyzes the infrequently discovered correlations in the log data, which has greatly helped the development of network attack traceability technology.

Jian Jiao,Siyuan Min,Dongchao Guo,Fang Du,Feng Cheng

DOI: https://doi.org/10.1109/access.2024.3476680

IF: 3.9

2024-10-22

IEEE Access

Abstract:The detection and traceability research of massive log information has always been a focal point in Advanced Persistent Threats (APT) studies. Causality relationship technology analyzes attack paths and simplifies graph scale by mapping attack behaviors, but rule-based detection methods often introduce numerous false alarms. To address this issue, this paper proposes a multi-feature provenance graph for the Accurate Alert System (FPGAA). It constructs trace graphs by selecting feature graphs based on the attack types, effectively improving the compression ratio of trace graphs. The FPGAA system utilizes graph neural network technology to efficiently filter out erroneous attack paths generated by false alarm information. We evaluated the system's performance using widely recognized classic datasets, including the DARPA TC dataset and the ATLAS dataset, as well as a self-constructed dataset to ensure comprehensiveness and reliability. The results demonstrate that the FPGAA system shows significant improvements in trace graph optimization compared to similar systems, successfully reducing the provenance graph size by over 300 times. Additionally, the FPGAA system effectively overcomes the interference caused by false alarm alerts, successfully filtering out approximately 94% of false alarms. In summary, our system can accurately identify a variety of attack paths, expedite event investigation efficiency through concise contextual alarms, and enhance identification accuracy by increasing features.

computer science, information systems,telecommunications,engineering, electrical & electronic