A Hierarchical Approach for Advanced Persistent Threat Detection with Attention-Based Graph Neural Networks

Advanced Persistent Threats (APTs) are the most sophisticated attacks for modern information systems. Currently, more and more researchers begin to focus on graph-based anomaly detection methods that leverage graph data to model normal behaviors and detect outliers for defending against APTs. Howeve...

Full description

Saved in:
Bibliographic Details
Published in:Security and communication networks 2021-05, Vol.2021, p.1-14
Main Authors: Li, Zitong, Cheng, Xiang, Sun, Lixiao, Zhang, Ji, Chen, Bing
Format: Article
Language:English
Subjects:
Anomalies
Data analysis
Embedding
Graph neural networks
Graph representations
Graphs
Information systems
Natural language
Neural networks
Outliers (statistics)
Semantics
Sensors
Taxonomy
Teaching methods
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by cdi_FETCH-LOGICAL-c337t-f775184cc9f7b8bc63ce0a05f6618fb70dc19c3c05ac5b57b28fbb8b687584e93
cites cdi_FETCH-LOGICAL-c337t-f775184cc9f7b8bc63ce0a05f6618fb70dc19c3c05ac5b57b28fbb8b687584e93
container_end_page 14
container_issue
container_start_page 1
container_title Security and communication networks
container_volume 2021
creator Li, Zitong
Cheng, Xiang
Sun, Lixiao
Zhang, Ji
Chen, Bing
description Advanced Persistent Threats (APTs) are the most sophisticated attacks for modern information systems. Currently, more and more researchers begin to focus on graph-based anomaly detection methods that leverage graph data to model normal behaviors and detect outliers for defending against APTs. However, previous studies of provenance graphs mainly concentrate on system calls, leading to difficulties in modeling network behaviors. Coarse-grained correlation graphs depend on handcrafted graph construction rules and, thus, cannot adequately explore log node attributes. Besides, the traditional Graph Neural Networks (GNNs) fail to consider meaningful edge features and are difficult to perform heterogeneous graphs embedding. To overcome the limitations of the existing approaches, we present a hierarchical approach for APT detection with novel attention-based GNNs. We propose a metapath aggregated GNN for provenance graph embedding and an edge enhanced GNN for host interactive graph embedding; thus, APT behaviors can be captured at both the system and network levels. A novel enhancement mechanism is also introduced to dynamically update the detection model in the hierarchical detection framework. Evaluations show that the proposed method outperforms the state-of-the-art baselines in APT detection.
doi_str_mv 10.1155/2021/9961342
format article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_2527981902</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2527981902</sourcerecordid><originalsourceid>FETCH-LOGICAL-c337t-f775184cc9f7b8bc63ce0a05f6618fb70dc19c3c05ac5b57b28fbb8b687584e93</originalsourceid><addsrcrecordid>eNp9kD1PwzAQhi0EEqWw8QMsMUKo7cRxPIYCLVJVGMocORdbcVuSYLtU_HtcFTEy3ddz7-lehK4puaeU8wkjjE6kzGmasRM0ojKVCaGMnf7lNDtHF96vCclpJrIR2pR4brVTDloLaovLYXC9ghab3uGy-VId6Aa_aeetD7oLeNU6rQJ-1EFDsH2H9za0uAyHYSyTB-XjwsypocVLvXNRc6nDvncbf4nOjNp6ffUbx-j9-Wk1nSeL19nLtFwkkKYiJEYITosMQBpRFzXkKWiiCDd5TgtTC9IAlZAC4Qp4zUXNYjeCeSF4kWmZjtHNUTe-8rnTPlTrfue6eLJinAlZUElYpO6OFLjee6dNNTj7odx3RUl1sLM62Fn92hnx2yPe2q5Re_s__QOfi3UP</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2527981902</pqid></control><display><type>article</type><title>A Hierarchical Approach for Advanced Persistent Threat Detection with Attention-Based Graph Neural Networks</title><source>Wiley Online Library Open Access</source><source>Publicly Available Content Database</source><creator>Li, Zitong ; Cheng, Xiang ; Sun, Lixiao ; Zhang, Ji ; Chen, Bing</creator><contributor>Meng, Weizhi ; Weizhi Meng</contributor><creatorcontrib>Li, Zitong ; Cheng, Xiang ; Sun, Lixiao ; Zhang, Ji ; Chen, Bing ; Meng, Weizhi ; Weizhi Meng</creatorcontrib><description>Advanced Persistent Threats (APTs) are the most sophisticated attacks for modern information systems. Currently, more and more researchers begin to focus on graph-based anomaly detection methods that leverage graph data to model normal behaviors and detect outliers for defending against APTs. However, previous studies of provenance graphs mainly concentrate on system calls, leading to difficulties in modeling network behaviors. Coarse-grained correlation graphs depend on handcrafted graph construction rules and, thus, cannot adequately explore log node attributes. Besides, the traditional Graph Neural Networks (GNNs) fail to consider meaningful edge features and are difficult to perform heterogeneous graphs embedding. To overcome the limitations of the existing approaches, we present a hierarchical approach for APT detection with novel attention-based GNNs. We propose a metapath aggregated GNN for provenance graph embedding and an edge enhanced GNN for host interactive graph embedding; thus, APT behaviors can be captured at both the system and network levels. A novel enhancement mechanism is also introduced to dynamically update the detection model in the hierarchical detection framework. Evaluations show that the proposed method outperforms the state-of-the-art baselines in APT detection.</description><identifier>ISSN: 1939-0114</identifier><identifier>EISSN: 1939-0122</identifier><identifier>DOI: 10.1155/2021/9961342</identifier><language>eng</language><publisher>London: Hindawi</publisher><subject>Anomalies ; Data analysis ; Embedding ; Graph neural networks ; Graph representations ; Graphs ; Information systems ; Natural language ; Neural networks ; Outliers (statistics) ; Semantics ; Sensors ; Taxonomy ; Teaching methods</subject><ispartof>Security and communication networks, 2021-05, Vol.2021, p.1-14</ispartof><rights>Copyright © 2021 Zitong Li et al.</rights><rights>Copyright © 2021 Zitong Li et al. This is an open access article distributed under the Creative Commons Attribution License (the “License”), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License. https://creativecommons.org/licenses/by/4.0</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c337t-f775184cc9f7b8bc63ce0a05f6618fb70dc19c3c05ac5b57b28fbb8b687584e93</citedby><cites>FETCH-LOGICAL-c337t-f775184cc9f7b8bc63ce0a05f6618fb70dc19c3c05ac5b57b28fbb8b687584e93</cites><orcidid>0000-0002-2863-5441</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://www.proquest.com/docview/2527981902?pq-origsite=primo$$EHTML$$P50$$Gproquest$$Hfree_for_read</linktohtml><link.rule.ids>314,780,784,25753,27924,27925,37012,44590</link.rule.ids></links><search><contributor>Meng, Weizhi</contributor><contributor>Weizhi Meng</contributor><creatorcontrib>Li, Zitong</creatorcontrib><creatorcontrib>Cheng, Xiang</creatorcontrib><creatorcontrib>Sun, Lixiao</creatorcontrib><creatorcontrib>Zhang, Ji</creatorcontrib><creatorcontrib>Chen, Bing</creatorcontrib><title>A Hierarchical Approach for Advanced Persistent Threat Detection with Attention-Based Graph Neural Networks</title><title>Security and communication networks</title><description>Advanced Persistent Threats (APTs) are the most sophisticated attacks for modern information systems. Currently, more and more researchers begin to focus on graph-based anomaly detection methods that leverage graph data to model normal behaviors and detect outliers for defending against APTs. However, previous studies of provenance graphs mainly concentrate on system calls, leading to difficulties in modeling network behaviors. Coarse-grained correlation graphs depend on handcrafted graph construction rules and, thus, cannot adequately explore log node attributes. Besides, the traditional Graph Neural Networks (GNNs) fail to consider meaningful edge features and are difficult to perform heterogeneous graphs embedding. To overcome the limitations of the existing approaches, we present a hierarchical approach for APT detection with novel attention-based GNNs. We propose a metapath aggregated GNN for provenance graph embedding and an edge enhanced GNN for host interactive graph embedding; thus, APT behaviors can be captured at both the system and network levels. A novel enhancement mechanism is also introduced to dynamically update the detection model in the hierarchical detection framework. Evaluations show that the proposed method outperforms the state-of-the-art baselines in APT detection.</description><subject>Anomalies</subject><subject>Data analysis</subject><subject>Embedding</subject><subject>Graph neural networks</subject><subject>Graph representations</subject><subject>Graphs</subject><subject>Information systems</subject><subject>Natural language</subject><subject>Neural networks</subject><subject>Outliers (statistics)</subject><subject>Semantics</subject><subject>Sensors</subject><subject>Taxonomy</subject><subject>Teaching methods</subject><issn>1939-0114</issn><issn>1939-0122</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2021</creationdate><recordtype>article</recordtype><sourceid>PIMPY</sourceid><recordid>eNp9kD1PwzAQhi0EEqWw8QMsMUKo7cRxPIYCLVJVGMocORdbcVuSYLtU_HtcFTEy3ddz7-lehK4puaeU8wkjjE6kzGmasRM0ojKVCaGMnf7lNDtHF96vCclpJrIR2pR4brVTDloLaovLYXC9ghab3uGy-VId6Aa_aeetD7oLeNU6rQJ-1EFDsH2H9za0uAyHYSyTB-XjwsypocVLvXNRc6nDvncbf4nOjNp6ffUbx-j9-Wk1nSeL19nLtFwkkKYiJEYITosMQBpRFzXkKWiiCDd5TgtTC9IAlZAC4Qp4zUXNYjeCeSF4kWmZjtHNUTe-8rnTPlTrfue6eLJinAlZUElYpO6OFLjee6dNNTj7odx3RUl1sLM62Fn92hnx2yPe2q5Re_s__QOfi3UP</recordid><startdate>20210504</startdate><enddate>20210504</enddate><creator>Li, Zitong</creator><creator>Cheng, Xiang</creator><creator>Sun, Lixiao</creator><creator>Zhang, Ji</creator><creator>Chen, Bing</creator><general>Hindawi</general><general>Hindawi Limited</general><scope>RHU</scope><scope>RHW</scope><scope>RHX</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>8FD</scope><scope>8FE</scope><scope>8FG</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>ARAPS</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>GNUQQ</scope><scope>HCIFZ</scope><scope>JQ2</scope><scope>K7-</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>P5Z</scope><scope>P62</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><orcidid>https://orcid.org/0000-0002-2863-5441</orcidid></search><sort><creationdate>20210504</creationdate><title>A Hierarchical Approach for Advanced Persistent Threat Detection with Attention-Based Graph Neural Networks</title><author>Li, Zitong ; Cheng, Xiang ; Sun, Lixiao ; Zhang, Ji ; Chen, Bing</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c337t-f775184cc9f7b8bc63ce0a05f6618fb70dc19c3c05ac5b57b28fbb8b687584e93</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2021</creationdate><topic>Anomalies</topic><topic>Data analysis</topic><topic>Embedding</topic><topic>Graph neural networks</topic><topic>Graph representations</topic><topic>Graphs</topic><topic>Information systems</topic><topic>Natural language</topic><topic>Neural networks</topic><topic>Outliers (statistics)</topic><topic>Semantics</topic><topic>Sensors</topic><topic>Taxonomy</topic><topic>Teaching methods</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Li, Zitong</creatorcontrib><creatorcontrib>Cheng, Xiang</creatorcontrib><creatorcontrib>Sun, Lixiao</creatorcontrib><creatorcontrib>Zhang, Ji</creatorcontrib><creatorcontrib>Chen, Bing</creatorcontrib><collection>Hindawi Publishing Complete</collection><collection>Hindawi Publishing Subscription Journals</collection><collection>Hindawi Publishing Open Access</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics &amp; Communications Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>ProQuest Central (Alumni)</collection><collection>ProQuest Central</collection><collection>Advanced Technologies &amp; Aerospace Collection</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>ProQuest Central Student</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Computer Science Collection</collection><collection>Computer science database</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>ProQuest advanced technologies &amp; aerospace journals</collection><collection>ProQuest Advanced Technologies &amp; Aerospace Collection</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><jtitle>Security and communication networks</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Li, Zitong</au><au>Cheng, Xiang</au><au>Sun, Lixiao</au><au>Zhang, Ji</au><au>Chen, Bing</au><au>Meng, Weizhi</au><au>Weizhi Meng</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>A Hierarchical Approach for Advanced Persistent Threat Detection with Attention-Based Graph Neural Networks</atitle><jtitle>Security and communication networks</jtitle><date>2021-05-04</date><risdate>2021</risdate><volume>2021</volume><spage>1</spage><epage>14</epage><pages>1-14</pages><issn>1939-0114</issn><eissn>1939-0122</eissn><abstract>Advanced Persistent Threats (APTs) are the most sophisticated attacks for modern information systems. Currently, more and more researchers begin to focus on graph-based anomaly detection methods that leverage graph data to model normal behaviors and detect outliers for defending against APTs. However, previous studies of provenance graphs mainly concentrate on system calls, leading to difficulties in modeling network behaviors. Coarse-grained correlation graphs depend on handcrafted graph construction rules and, thus, cannot adequately explore log node attributes. Besides, the traditional Graph Neural Networks (GNNs) fail to consider meaningful edge features and are difficult to perform heterogeneous graphs embedding. To overcome the limitations of the existing approaches, we present a hierarchical approach for APT detection with novel attention-based GNNs. We propose a metapath aggregated GNN for provenance graph embedding and an edge enhanced GNN for host interactive graph embedding; thus, APT behaviors can be captured at both the system and network levels. A novel enhancement mechanism is also introduced to dynamically update the detection model in the hierarchical detection framework. Evaluations show that the proposed method outperforms the state-of-the-art baselines in APT detection.</abstract><cop>London</cop><pub>Hindawi</pub><doi>10.1155/2021/9961342</doi><tpages>14</tpages><orcidid>https://orcid.org/0000-0002-2863-5441</orcidid><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 1939-0114
ispartof Security and communication networks, 2021-05, Vol.2021, p.1-14
issn 1939-0114
1939-0122
language eng
recordid cdi_proquest_journals_2527981902
source Wiley Online Library Open Access; Publicly Available Content Database
subjects Anomalies
Data analysis
Embedding
Graph neural networks
Graph representations
Graphs
Information systems
Natural language
Neural networks
Outliers (statistics)
Semantics
Sensors
Taxonomy
Teaching methods
title A Hierarchical Approach for Advanced Persistent Threat Detection with Attention-Based Graph Neural Networks
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-28T20%3A46%3A03IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=A%20Hierarchical%20Approach%20for%20Advanced%20Persistent%20Threat%20Detection%20with%20Attention-Based%20Graph%20Neural%20Networks&rft.jtitle=Security%20and%20communication%20networks&rft.au=Li,%20Zitong&rft.date=2021-05-04&rft.volume=2021&rft.spage=1&rft.epage=14&rft.pages=1-14&rft.issn=1939-0114&rft.eissn=1939-0122&rft_id=info:doi/10.1155/2021/9961342&rft_dat=%3Cproquest_cross%3E2527981902%3C/proquest_cross%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c337t-f775184cc9f7b8bc63ce0a05f6618fb70dc19c3c05ac5b57b28fbb8b687584e93%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=2527981902&rft_id=info:pmid/&rfr_iscdi=true