Lingshuo Meng,Yijie Bai,Yanjiao Chen,Yutong Hu,Wenyuan Xu,Haiqin Weng

DOI: https://doi.org/10.1145/3576915.3623173

2023-01-01

Abstract:Graph neural networks (GNNs) have been developed to mine useful information from graph data of various applications, e.g., health-care, fraud detection, and social recommendation. However, GNNs open up new attack surfaces for privacy attacks on graph data. In this paper, we propose Infiltrator, a privacy attack that is able to pry node-level private information based on black-box access to GNNs. Different from existing works that require prior information of the victim node, we explore the possibility of conducting the attack without any information of the victim node. Our idea is to infiltrate the graph with attacker-created nodes to befriend the victim node. More specifically, we design infiltration schemes that enable the adversary to infer the label, neighboring links, and sensitive attributes of a victim node. We evaluate Infiltrator with extensive experiments on three representative GNN models and six real-world datasets. The results demonstrate that Infiltrator can achieve an attack performance of more than 98% in all three attacks, outperforming baseline approaches. We further evaluate the defense resistance of Infiltrator against the graph homophily defender and the differentially private model.

Rui Wen,Jianyu Wang,Chunming Wu,Jian Xiong

DOI: https://doi.org/10.1145/3366424.3391266

2020-01-01

Abstract:Given a large graph with millions of vertices and different types, how can we spot anomalies and find potential adversaries in time? Most graph-based fraud detection algorithms focus on finding dense blocks, discovering local subgraphs, designing belief propagation, and latent factor models. However, as fraudsters in online social networks gradually become adversarial, distributed, and invisible, it is easy for them to evade traditional detection methods. Even worse, existing detection systems are fragile to the new attacks. Once attackers update their tragedies, they will be inefficient. Our focus is to detect potential adversaries as soon as possible. We design and propose ASA (Adversary Situation Awareness), a system that (a) uncovers potential adversaries in time, (b) utilizes heterogeneous information in the graph, and (c)is effective in real-world data. We do experiments on a heterogeneous graph including 198,541 nodes with five types and 224,384 edges. The result shows that ASA can spot potential adversaries and successfully recovers 60 of potential abnormal users within a few minutes. Additionally, after two months we deployed it, ASA could achieve 90 recall, which means ASA can well discover a small number of adversaries with a latent period in time.

Max Landauer,Markus Wurzenberger,Florian Skopik,Wolfgang Hotwagner,Georg Höld

DOI: https://doi.org/10.1145/3567675

2022-10-11

Digital Threats: Research and Practice

Abstract:Cyber attacks are omnipresent and their rapid detection is crucial for system security. Signature-based intrusion detection monitors systems for attack indicators and plays an important role in recognizing and preventing such attacks. Unfortunately, it is unable to detect new attack vectors and may be evaded by attack variants. As a solution, anomaly detection employs techniques from machine learning to detect suspicious log events without relying on predefined signatures. While visibility of attacks in network traffic is limited due to encryption of network packets, system log data is available in raw format and thus allows fine-granular analysis. However, system log processing is difficult as it involves different formats and heterogeneous events. To ease log-based anomaly detection, we present the AMiner, an open-source tool in the AECID toolbox that enables fast log parsing, analysis, and alerting. In this paper we outline the AMiner's modular architecture and demonstrate its applicability in three use-cases.

Xi Ling,Jiongchi Yu,Ziming Zhao,Zhihao Zhou,Haitao Xu,Binbin Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-031-54773-7_12

2024-01-01

Abstract:With the proliferation of Internet development, Distributed Denial of Service (DDoS) attacks are on the rise. As rule-based traffic analysis frameworks and Deep Packet Inspection (DPI) defense measures can effectively thwart many DDoS attacks, attackers keep exploring various attack surfaces and traffic amplification strategies to nullify the defense. In this paper, we propose DDoSMiner, an automated framework for DDoS attack characterization and vulnerability mining. DDoSMiner analyzes system call patterns of the TCP-based DDoS attack family, then generates Attack Call Flow Graph (ACFG) by discerning the differences between DDoS attack traffic and benign traffic. Furthermore, DDoSMiner identifies and extracts drop nodes and pivotal TCP states from the distinctive characteristics of attack traffic, then passes to the symbolic execution framework for exploring variants of the DDoS attack. We collectively analyze six types of TCP-based DDoS attacks, construct the corresponding ACFG, and identify a set of attack traffic variants. The attack traffic variants are evaluated on the widely used Network Intrusion Detection System (NIDS) Snort with three popular rule sets. The result shows that DDoSMiner indeed discovers the new DDoS attack trace, and the corresponding attack traffic can bypass all three defense toolkits.

Zitong Li,Xiang Cheng,Lixiao Sun,Ji Zhang,Bing Chen

DOI: https://doi.org/10.1155/2021/9961342

IF: 1.968

2021-05-04

Security and Communication Networks

Abstract:Advanced Persistent Threats (APTs) are the most sophisticated attacks for modern information systems. Currently, more and more researchers begin to focus on graph-based anomaly detection methods that leverage graph data to model normal behaviors and detect outliers for defending against APTs. However, previous studies of provenance graphs mainly concentrate on system calls, leading to difficulties in modeling network behaviors. Coarse-grained correlation graphs depend on handcrafted graph construction rules and, thus, cannot adequately explore log node attributes. Besides, the traditional Graph Neural Networks (GNNs) fail to consider meaningful edge features and are difficult to perform heterogeneous graphs embedding. To overcome the limitations of the existing approaches, we present a hierarchical approach for APT detection with novel attention-based GNNs. We propose a metapath aggregated GNN for provenance graph embedding and an edge enhanced GNN for host interactive graph embedding; thus, APT behaviors can be captured at both the system and network levels. A novel enhancement mechanism is also introduced to dynamically update the detection model in the hierarchical detection framework. Evaluations show that the proposed method outperforms the state-of-the-art baselines in APT detection.

computer science, information systems,telecommunications

Rahul Chandran,Wei Q. Yan

DOI: https://doi.org/10.4018/ijdcf.2014010103

2014-01-01

International Journal of Digital Crime and Forensics

Abstract:The development of technology in computer networks has boosted the percentage of cyber-attacks today. Hackers are now able to penetrate even the strongest IDS and firewalls. With the help of anti-forensic techniques, attackers defend themselves, from being tracked by destroying and distorting evidences. To detect and prevent network attacks, the main modus of operandi in network forensics is the successful implementation and analysis of attack graph from gathered evidences. This paper conveys the main concepts of attack graphs, requirements for modeling and implementation of graphs. It also contributes the aspect of incorporation of anti-forensic techniques in attack graph which will help in analysis of the diverse possibilities of attack path deviations and thus aids in recommendation of various defense strategies for better security. To the best of our knowledge, this is the first time network anti-forensics has been fully discussed and the attack graphs are employed to analyze the network attacks. The experimental analysis of anti-forensic techniques using attack graphs were conducted in the proposed test-bed which helped to evaluate the model proposed and suggests preventive measures for the improvement of security of the networks.

Mai Ye,Shiming Men,Lei Xie,Bing Chen

DOI: https://doi.org/10.1145/3605801.3605807

2023-01-01

Abstract:APT(Advanced Persistent Threat) are known for their stealth, persistence, and sophistication, often carried out by skilled and well-funded attackers. To detect and investigate APT attacks at the host-level, scholars have extensively studied the provenance graph, which preserves the complete attack context. However, existing methods have impractical requirements for data collection and threshold setting, severely impacting their real-world performance. In this paper, we propose GCA (Graph Competitive Autoencoder), a GNN-based graph-level anomaly detection system. We first extract entities and their interactions from host logs to construct a provenance graph. Subsequently, we utilize GNN (Graph Neural Network) as a graph encoder to obtain graph-level embeddings. In the anomaly detection part, we use the competitive autoencoder and mutual information maximization to identify the attack graph. With this model, we can conduct graph-level anomaly detection even when the training data is partially contaminated, without manually setting the threshold. We deploy and evaluate our model on the public dataset StreamSpot. Our results show that GCA outperforms existing methods in terms of accuracy and practicality.

Tieming Chen,Chengyu Dong,Mingqi Lv,Qijie Song,Haiwen Liu,Tiantian Zhu,Kang Xu,Ling Chen,Shouling Ji,Yuan Fan

DOI: https://doi.org/10.1109/tdsc.2022.3229472

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:APTs (Advanced Persistent Threats) have caused serious security threats worldwide. Most existing APT detection systems are implemented based on sophisticated forensic analysis rules. However, the design of these rules requires in-depth domain knowledge and the rules lack generalization ability. On the other hand, deep learning technique could automatically create detection model from training samples with little domain knowledge. However, due to the persistence, stealth, and diversity of APT attacks, deep learning technique suffers from a series of problems including difficulties of capturing contextual information, low scalability, dynamic evolving of training samples, and scarcity of training samples. Aiming at these problems, this paper proposes APT-KGL, an intelligent APT detection system based on provenance data and graph neural networks. First, APT-KGL models the system entities and their contextual information in the provenance data by a HPG (Heterogeneous Provenance Graph), and learns a semantic vector representation for each system entity in the HPG in an offline way. Then, APT-KGL performs online APT detection by sampling a small local graph from the HPG and classifying the key system entities as malicious or benign. In addition, to conquer the difficulty of collecting training samples of APT attacks, APT-KGL creates virtual APT training samples from open threat knowledge in a semi-automatic way. We conducted a series of experiments on two provenance datasets with simulated APT attacks. The experiment results show that APT-KGL outperforms other current deep learning based models, and has competitive performance against state-of-the-art rule-based APT detection systems.

Aninda Manocha,Tyler Sorensen,Esin Türeci,Opeoluwa Matthews,Juan L. Aragón,Margaret Martonosi

DOI: https://doi.org/10.1109/tnse.2021.3127557

IF: 6.6

2021-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Graph neural networks (GNNs) have been successfully exploited in graph analysis tasks in many real-world applications. The competition between attack and defense methods also enhances the robustness of GNNs. In this competition, the development of adversarial training methods put forward higher requirement for the diversity of attack examples. By contrast, most attack methods with specific attack strategies are difficult to satisfy such a requirement. To address this problem, we propose GraphAttacker, a novel generic graph attack framework that can flexibly adjust the structures and the attack strategies according to the graph analysis tasks. GraphAttacker generates adversarial examples through alternate training on three key components: the multi-strategy attack generator (MAG), the similarity discriminator (SD), and the attack discriminator (AD), based on the generative adversarial network (GAN). Furthermore, we introduce a novel similarity modification rate SMR to conduct a stealthier attack considering the change of node similarity distribution. Experiments on various benchmark datasets demonstrate that GraphAttacker can achieve state-of-the-art attack performance on graph analysis tasks of node classification, graph classification, and link prediction, no matter the adversarial training is conducted or not. Moreover, we also analyze the unique characteristics of each task and their specific response in the unified attack framework. The project code is available at https://github.com/honoluluuuu/GraphAttacker.

Zhenyuan Li,Yangyang Wei,Xiangmin Shen,Lingzhi Wang,Yan Chen,Haitao Xu,Shouling Ji,Fan Zhang,Liang Hou,Wenmao Liu,Xuhong Zhang,Jianwei Ying

2024-07-10

Abstract:Recent research in both academia and industry has validated the effectiveness of provenance graph-based detection for advanced cyber attack detection and investigation. However, analyzing large-scale provenance graphs often results in substantial overhead. To improve performance, existing detection systems implement various optimization strategies. Yet, as several recent studies suggest, these strategies could lose necessary context information and be vulnerable to evasions. Designing a detection system that is efficient and robust against adversarial attacks is an open problem. We introduce Marlin, which approaches cyber attack detection through real-time provenance graph <a class="link-external link-http" href="http://alignment.By" rel="external noopener nofollow">this http URL</a> leveraging query graphs embedded with attack knowledge, Marlin can efficiently identify entities and events within provenance graphs, embedding targeted analysis and significantly narrowing the search space. Moreover, we incorporate our graph alignment algorithm into a tag propagation-based schema to eliminate the need for storing and reprocessing raw logs. This design significantly reduces in-memory storage requirements and minimizes data processing overhead. As a result, it enables real-time graph alignment while preserving essential context information, thereby enhancing the robustness of cyber attack detection. Moreover, Marlin allows analysts to customize attack query graphs flexibly to detect extended attacks and provide interpretable detection results. We conduct experimental evaluations on two large-scale public datasets containing 257.42 GB of logs and 12 query graphs of varying sizes, covering multiple attack techniques and scenarios. The results show that Marlin can process 137K events per second while accurately identifying 120 subgraphs with 31 confirmed attacks, along with only 1 false positive, demonstrating its efficiency and accuracy in handling massive data.

Cryptography and Security

Bin Luo,Liangguo Chen,Shuhua Ruan,Yonggang Luo

DOI: https://doi.org/10.32604/cmc.2023.045739

2024-01-01

Abstract:Considering the stealthiness and persistence of Advanced Persistent Threats (APTs), system audit logs are leveraged in recent studies to construct system entity interaction provenance graphs to unveil threats in a host. Rule-based provenance graph APT detection approaches require elaborate rules and cannot detect unknown attacks, and existing learning-based approaches are limited by the lack of available APT attack samples or generally only perform graph-level anomaly detection, which requires lots of manual efforts to locate attack entities. This paper proposes an APT-exploited process detection approach called ThreatSniffer, which constructs the benign provenance graph from attack-free audit logs, fits normal system entity interactions and then detects APT-exploited processes by predicting the rationality of entity interactions. Firstly, ThreatSniffer understands system entities in terms of their file paths, interaction sequences, and the number distribution of interaction types and uses the multi-head self-attention mechanism to fuse these semantics. Then, based on the insight that APT-exploited processes interact with system entities they should not invoke, ThreatSniffer performs negative sampling on the benign provenance graph to generate non-existent edges, thus characterizing irrational entity interactions without requiring APT attack samples. At last, it employs a heterogeneous graph neural network as the interaction prediction model to aggregate the contextual information of entity interactions, and locate processes exploited by attackers, thereby achieving fine-grained APT detection. Evaluation results demonstrate that anomaly-based detection enables ThreatSniffer to identify all attack activities. Compared to the node-level APT detection method APT-KGL, ThreatSniffer achieves a 6.1% precision improvement because of its comprehensive understanding of entity semantics.

computer science, information systems,materials science, multidisciplinary

Abdulellah Alsaheel,Yuhong Nan,Shiqing Ma,Le Yu,Gregory Walkup,Z. Berkay Celik,Xiangyu Zhang,Dongyan Xu

2021-01-01

Abstract:Advanced Persistent Threats (APT) involve multiple attack steps over a long period, and their investigation requires analysis of myriad logs to identify their attack steps, which are a set of activities undertaken to run an APT attack. However, on a daily basis in an enterprise, intrusion detection systems generate many threat alerts of suspicious events (attack symptoms). Cyber analysts must investigate such events to determine whether an event is a part of an attack. With many alerts to investigate, cyber analysts often end up with alert fatigue, causing them to ignore a large number of alerts and miss true attack events. In this paper, we present ATLAS, a framework that constructs an end-to-end attack story from off-the-shelf audit logs. Our key observation is that different attacks may share similar abstract attack strategies, regardless of the vulnerabilities exploited and payloads executed. ATLAS leverages a novel combination of causality analysis, natural language processing, and machine learning techniques to build a sequence-based model, which establishes key patterns of attack and non-attack behaviors from a causal graph. At inference time, given a threat alert event, an attack symptom node in a causal graph is identified. ATLAS then constructs a set of candidate sequences associated with the symptom node, uses the sequence-based model to identify nodes in a sequence that contribute to the attack, and unifies the identified attack nodes to construct an attack story. We evaluated ATLAS with ten real-world APT attacks executed in a realistic virtual environment. ATLAS recovers attack steps and construct attack stories with an average of 91.06% precision, 97.29% recall, and 93.76% F1-score. Through this effort, we provide security investigators with a new means of identifying the attack events that make up the attack story.

Ahmed Aly,Shahrear Iqbal,Amr Youssef,Essam Mansour

DOI: https://doi.org/10.1109/tifs.2024.3396390

IF: 7.231

2024-05-14

IEEE Transactions on Information Forensics and Security

Abstract:The stealthy and persistent nature of Advanced Persistent Threats (APTs) makes them one of the most challenging cyber threats to uncover. Several systems adopted the development of provenance-graph-based security solutions to capture this persistent nature. Provenance graphs (PGs) represent system audit logs by connecting system entities using causal relations and information flows. Hunting APTs demands the processing of ever-growing large-scale PGs of audit logs for a wide range of activities over months or years, i.e., multi-terabyte graphs. Existing APT hunting systems are typically memory-based, which suffers colossal memory consumption, or disk-based, which suffers from performance hits. Therefore, these systems are hard to scale in terms of graph size or time performance. In this paper, we propose MEGR-APT, a scalable APT hunting system to discover suspicious subgraphs matching an attack scenario (query graph) published in Cyber Threat Intelligence (CTI) reports. MEGR-APT hunts APTs in a twofold process: (i) memory-efficient extraction of suspicious subgraphs as search queries over a graph database, and (ii) fast subgraph matching based on graph neural network (GNN) and our effective attack representation learning. We compared MEGR-APT with state-of-the-art (SOTA) APT systems using popular APT benchmarks, such as DARPA TC3 and OpTC. We also tested it using a real enterprise dataset. MEGR-APT achieves an order of magnitude reduction in memory consumption while achieving comparable performance to SOTA in terms of time and accuracy.

computer science, theory & methods,engineering, electrical & electronic

Kexiong Fei,Jiang Zhou,Lin Su,Weiping Wang,Yong Chen

DOI: https://doi.org/10.3233/jcs-230092

2024-04-24

Journal of Computer Security

Abstract:With the advancement of network security equipment, insider threats gradually replace external threats and become a critical contributing factor for cluster security threats. When detecting and combating insider threats, existing methods often concentrate on users’ behavior and analyze logs recording their operations in an information system. Traditional sequence-based method considers temporal relationships for user actions, but cannot represent complex logical relationships well between various entities and different behaviors. Current machine learning-based approaches, such as graph-based methods, can establish connections among log entries but have limitations in terms of complexity and identifying malicious behavior of user’s inherent intention. In this paper, we propose Log2Graph, a novel insider threat detection method based on graph convolution neural network. To achieve efficient anomaly detection, Log2Graph first retrieves logs and corresponding features from log files through feature extraction. Specifically, we use an auxiliary feature of anomaly index to describe the relationship between entities, such as users and hosts, instead of establishing complex connections between them. Second, these logs and features are augmented through a combination of oversampling and downsampling, to prepare for the next-stage supervised learning process. Third, we use three elaborated rules to construct the graph of each user by connecting the logs according to chronological and logical relationships. At last, the dedicated built graph convolution neural network is used to detect insider threats. Our validation and extensive evaluation results confirm that Log2Graph can greatly improve the performance of insider threat detection compared to existing state-of-the-art methods.

Jiajun Zhou,Jiacheng Yao,Xuanze Chen,Shanqing Yu,Qi Xuan,Xiaoniu Yang

2024-11-15

Abstract:Lateral movement is a crucial component of advanced persistent threat (APT) attacks in networks. Attackers exploit security vulnerabilities in internal networks or IoT devices, expanding their control after initial infiltration to steal sensitive data or carry out other malicious activities, posing a serious threat to system security. Existing research suggests that attackers generally employ seemingly unrelated operations to mask their malicious intentions, thereby evading existing lateral movement detection methods and hiding their intrusion traces. In this regard, we analyze host authentication log data from a graph perspective and propose a multi-scale lateral movement detection framework called LMDetect. The main workflow of this framework proceeds as follows: 1) Construct a heterogeneous multigraph from host authentication log data to strengthen the correlations among internal system entities; 2) Design a time-aware subgraph generator to extract subgraphs centered on authentication events from the heterogeneous authentication multigraph; 3) Design a multi-scale attention encoder that leverages both local and global attention to capture hidden anomalous behavior patterns in the authentication subgraphs, thereby achieving lateral movement detection. Extensive experiments on two real-world authentication log datasets demonstrate the effectiveness and superiority of our framework in detecting lateral movement behaviors.

Cryptography and Security,Artificial Intelligence

Su Wang,Zhiliang Wang,Tao Zhou,Xia Yin,Dongqi Han,Han Zhang,Hongbin Sun,Xingang Shi,Jiahai Yang

DOI: https://doi.org/10.48550/arXiv.2111.04333

2021-11-08

Abstract:Host-based threats such as Program Attack, Malware Implantation, and Advanced Persistent Threats (APT), are commonly adopted by modern attackers. Recent studies propose leveraging the rich contextual information in data provenance to detect threats in a host. Data provenance is a directed acyclic graph constructed from system audit data. Nodes in a provenance graph represent system entities (e.g., $processes$ and $files$) and edges represent system calls in the direction of information flow. However, previous studies, which extract features of the whole provenance graph, are not sensitive to the small number of threat-related entities and thus result in low performance when hunting stealthy threats. We present threaTrace, an anomaly-based detector that detects host-based threats at system entity level without prior knowledge of attack patterns. We tailor GraphSAGE, an inductive graph neural network, to learn every benign entity's role in a provenance graph. threaTrace is a real-time system, which is scalable of monitoring a long-term running host and capable of detecting host-based intrusion in their early phase. We evaluate threaTrace on three public datasets. The results show that threaTrace outperforms three state-of-the-art host intrusion detection systems.

Cryptography and Security,Machine Learning

David Pujol-Perich,José Suárez-Varela,Albert Cabellos-Aparicio,Pere Barlet-Ros

DOI: https://doi.org/10.48550/arXiv.2107.14756

2021-07-31

Abstract:The last few years have seen an increasing wave of attacks with serious economic and privacy damages, which evinces the need for accurate Network Intrusion Detection Systems (NIDS). Recent works propose the use of Machine Learning (ML) techniques for building such systems (e.g., decision trees, neural networks). However, existing ML-based NIDS are barely robust to common adversarial attacks, which limits their applicability to real networks. A fundamental problem of these solutions is that they treat and classify flows independently. In contrast, in this paper we argue the importance of focusing on the structural patterns of attacks, by capturing not only the individual flow features, but also the relations between different flows (e.g., the source/destination hosts they share). To this end, we use a graph representation that keeps flow records and their relationships, and propose a novel Graph Neural Network (GNN) model tailored to process and learn from such graph-structured information. In our evaluation, we first show that the proposed GNN model achieves state-of-the-art results in the well-known CIC-IDS2017 dataset. Moreover, we assess the robustness of our solution under two common adversarial attacks, that intentionally modify the packet size and inter-arrival times to avoid detection. The results show that our model is able to maintain the same level of accuracy as in previous experiments, while state-of-the-art ML techniques degrade up to 50% their accuracy (F1-score) under these attacks. This unprecedented level of robustness is mainly induced by the capability of our GNN model to learn flow patterns of attacks structured as graphs.

Cryptography and Security,Artificial Intelligence,Machine Learning,Networking and Internet Architecture

Minh Hieu Nguyen,Viet Hung Nguyen,Huu Phong Pham,Ngoc Anh Tran

DOI: https://doi.org/10.1145/3628797.3628943

2023-12-07

Abstract:System logs play a vital role in upholding information security by capturing events to address potential risks. Numerous research initiatives have harnessed log data to create machine learning models geared towards spotting unusual activities within systems. In this pragmatic study, we introduce an innovative approach to detecting anomalies in log data, employing a three-step process encompassing preprocessing, advanced natural language processing (NLP) utilizing BERT, and a custom 1D-CNN classification model. During the preprocessing phase, we tokenize the data and eliminate non-essential elements, while BERT enriches log message representations. Our Sliding Window and Overlapping Mechanism ensures consistent input dimensions. The 1D-CNN model extracts temporal features for robust anomaly detection. Empirical findings on HFDS, BGL, Spirit, and Thunderbird datasets illustrate that our method outperforms prior approaches in identifying network attacks.

Computer Science

E. Taylor,D. Kuhnt,C. Shih,S. Rinzel,G. B. Grindey,J. Barredo,M. Jannatipour,R. Moran

DOI: https://doi.org/10.1021/JM00101A023

IF: 8.039

1992-11-13

Journal of Medicinal Chemistry

Abstract:N-[4-[2-(2-Amino-3,4-dihydro-4-oxo-7H-pyrrolo[2,3-d]pyrimidin-5- yl)ethyl]benzoyl]-L-glutamic acid (15), prepared in five steps from 2-pivaloyl-7-deazaguanine, has been found to be an antitumor agent with its primary site of action at thymidylate synthase rather than purine synthesis. This compound appears to be a promising candidate for clinical evaluation.

Wei Liu,Peng Gao,Haotian Zhang,Ke Li,Weiyong Yang,Xingshen Wei,Jiwu Shu

2024-06-14

Abstract:Complex multi-step attacks have caused significant damage to numerous critical infrastructures. To detect such attacks, graph neural network based methods have shown promising results by modeling the system's events as a graph. However, existing methods still face several challenges when deployed in practice. First, there is a lack of sufficient real attack data especially considering the large volume of normal data. Second, the modeling of event graphs is challenging due to their dynamic and heterogeneous nature. Third, the lack of explanation in learning models undermines the trustworthiness of such methods in production environments. To address the above challenges, in this paper, we propose an attack detection method, Trace2Vec. The approach first designs an erosion function to augment rare attack samples, and integrates them into the event graphs. Next, it models the event graphs via a continuous-time dynamic heterogeneous graph neural network. Finally, it employs the Monte Carlo tree search algorithm to identify events with greater contributions to the attack, thus enhancing the explainability of the detection result. We have implemented a prototype for Trace2Vec, and the experimental evaluations demonstrate its superior detection and explanation performance compared to existing methods.

Cryptography and Security