PDCleaner: A multi-view collaborative data compression method for provenance graph-based APT detection systems

In recent years, advanced persistent threats (APTs) have frequently occurred with increasing severity on a global scale. Provenance graph-based APT detection systems have demonstrated significant effectiveness. However, current data compression methods face challenges in processing massive data volu...

Full description

Saved in:
Bibliographic Details
Published in:Computers & security 2025-05, Vol.152, p.104359, Article 104359
Main Authors: Jin, Jiaobo, Zhu, Tiantian, Yuan, Qixuan, Chen, Tieming, Lv, Mingqi, Zheng, Chenbin, Mei, Jian-Ping, Pan, Xiang
Format: Article
Language:English
Subjects:
Advanced persistent threats
Data compression
Data explosion problem
Multi-perspective collaboration
Provenance graph
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:In recent years, advanced persistent threats (APTs) have frequently occurred with increasing severity on a global scale. Provenance graph-based APT detection systems have demonstrated significant effectiveness. However, current data compression methods face challenges in processing massive data volumes, including compression imbalance, limited generality, and semantic loss. To address these challenges, we propose PDCleaner, a multi-perspective collaborative data compression method designed to preserve the semantics of provenance graphs. This method comprises three core strategies: a global semantics-driven event deletion strategy, a behavior-preserving entity aggregation strategy, and a similarity-based event chain merging strategy. These strategies collaboratively compress data across three perspectives: events, entities, and event chains, resulting in concise and generalizable datasets suitable for model training and prediction. Experimental results indicate that the multi-perspective collaborative compression method achieves a compression rate of 14.43X while maintaining an average semantic loss of only 4.98%, significantly reducing data size and preserving provenance graph semantics. Furthermore, in a deep learning-based threat detection model, this method reduces training time by up to 20.22% and improves the F1 score by 0.051, offering an optimal data foundation for efficient and accurate threat detection.
ISSN:0167-4048
DOI:10.1016/j.cose.2025.104359