Heterogeneous Provenance Graph Learning Model Based APT Detection

APT(advanced persistent threat)are advanced persistent cyber-attack by hacker organizations to breach the target information system.Usually,the APTs are characterized by long duration and multiple attack techniques,making the traditional intrusion detection methods ineffective.Most existing APT detection systems are implemented based on manually designed rules by referring to domain knowledge(e.g.,ATT&CK).However,this way lacks of intelligence,generalization ability,and is difficult to detect unknown APT attacks.Aiming at this limitation,this paper proposes an intelligent APT detection method based on provenance data and graph neural networks.To capture the rich context information in the diversified attack techniques of APTs,it firstly models the system entities(e.g.,process,file,socket)in the provenance data into a provenance graph,and learns a semantic vector representation for each system entity by heterogeneous graph learning model.Then,to solve the problem of graph scale explosion caused by the long-term behaviors of APTs,APT detection is performed by sampling a local graph from the large scale heterogeneous graph,and classifying the key system entities as malicious or benign by graph convolution networks.A series of experiments are conducted on two datasets with real APT attacks.Experiment results show that the comprehensive performance of the proposed method outperforms other learning based detection models,as well as the state-of-the-art rule based APT detection systems.