A Hierarchical Approach for Advanced Persistent Threat Detection with Attention-Based Graph Neural Networks

Advanced Persistent Threats (APTs) are the most sophisticated attacks for modern information systems. Currently, more and more researchers begin to focus on graph-based anomaly detection methods that leverage graph data to model normal behaviors and detect outliers for defending against APTs. Howeve...

Full description

Saved in:
Bibliographic Details
Published in:Security and communication networks 2021-05, Vol.2021, p.1-14
Main Authors: Li, Zitong, Cheng, Xiang, Sun, Lixiao, Zhang, Ji, Chen, Bing
Format: Article
Language:English
Subjects:
Anomalies
Data analysis
Embedding
Graph neural networks
Graph representations
Graphs
Information systems
Natural language
Neural networks
Outliers (statistics)
Semantics
Sensors
Taxonomy
Teaching methods
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Advanced Persistent Threats (APTs) are the most sophisticated attacks for modern information systems. Currently, more and more researchers begin to focus on graph-based anomaly detection methods that leverage graph data to model normal behaviors and detect outliers for defending against APTs. However, previous studies of provenance graphs mainly concentrate on system calls, leading to difficulties in modeling network behaviors. Coarse-grained correlation graphs depend on handcrafted graph construction rules and, thus, cannot adequately explore log node attributes. Besides, the traditional Graph Neural Networks (GNNs) fail to consider meaningful edge features and are difficult to perform heterogeneous graphs embedding. To overcome the limitations of the existing approaches, we present a hierarchical approach for APT detection with novel attention-based GNNs. We propose a metapath aggregated GNN for provenance graph embedding and an edge enhanced GNN for host interactive graph embedding; thus, APT behaviors can be captured at both the system and network levels. A novel enhancement mechanism is also introduced to dynamically update the detection model in the hierarchical detection framework. Evaluations show that the proposed method outperforms the state-of-the-art baselines in APT detection.
ISSN:1939-0114
1939-0122
DOI:10.1155/2021/9961342