A Heterogeneous Graph Learning Model for Cyber-Attack Detection
A cyber-attack is a malicious attempt by experienced hackers to breach the target information system. Usually, the cyber-attacks are characterized as hybrid TTPs (Tactics, Techniques, and Procedures) and long-term adversarial behaviors, making the traditional intrusion detection methods ineffective....
Saved in:
Main Authors | , , , , , |
---|---|
Format | Journal Article |
Language | English |
Published |
16.12.2021
|
Subjects | |
Online Access | Get full text |
Cover
Loading…
Summary: | A cyber-attack is a malicious attempt by experienced hackers to breach the
target information system. Usually, the cyber-attacks are characterized as
hybrid TTPs (Tactics, Techniques, and Procedures) and long-term adversarial
behaviors, making the traditional intrusion detection methods ineffective. Most
existing cyber-attack detection systems are implemented based on manually
designed rules by referring to domain knowledge (e.g., threat models, threat
intelligences). However, this process is lack of intelligence and
generalization ability. Aiming at this limitation, this paper proposes an
intelligent cyber-attack detection method based on provenance data. To
effective and efficient detect cyber-attacks from a huge number of system
events in the provenance data, we firstly model the provenance data by a
heterogeneous graph to capture the rich context information of each system
entities (e.g., process, file, socket, etc.), and learns a semantic vector
representation for each system entity. Then, we perform online cyber-attack
detection by sampling a small and compact local graph from the heterogeneous
graph, and classifying the key system entities as malicious or benign. We
conducted a series of experiments on two provenance datasets with real
cyber-attacks. The experiment results show that the proposed method outperforms
other learning based detection models, and has competitive performance against
state-of-the-art rule based cyber-attack detection systems. |
---|---|
DOI: | 10.48550/arxiv.2112.08986 |