Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Liu, Wei, Gao, Peng, Zhang, Haotian, Li, Ke, Yang, Weiyong, Wei, Xingshen, Shu, Jiwu
Format: Preprint
Veröffentlicht: 2024
Schlagworte:
Online-Zugang:https://arxiv.org/abs/2405.11335
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
_version_ 1866929385355870208
author Liu, Wei
Gao, Peng
Zhang, Haotian
Li, Ke
Yang, Weiyong
Wei, Xingshen
Shu, Jiwu
author_facet Liu, Wei
Gao, Peng
Zhang, Haotian
Li, Ke
Yang, Weiyong
Wei, Xingshen
Shu, Jiwu
contents Complex multi-step attacks have caused significant damage to numerous critical infrastructures. To detect such attacks, graph neural network based methods have shown promising results by modeling the system's events as a graph. However, existing methods still face several challenges when deployed in practice. First, there is a lack of sufficient real attack data especially considering the large volume of normal data. Second, the modeling of event graphs is challenging due to their dynamic and heterogeneous nature. Third, the lack of explanation in learning models undermines the trustworthiness of such methods in production environments. To address the above challenges, in this paper, we propose an attack detection method, Trace2Vec. The approach first designs an erosion function to augment rare attack samples, and integrates them into the event graphs. Next, it models the event graphs via a continuous-time dynamic heterogeneous graph neural network. Finally, it employs the Monte Carlo tree search algorithm to identify events with greater contributions to the attack, thus enhancing the explainability of the detection result. We have implemented a prototype for Trace2Vec, and the experimental evaluations demonstrate its superior detection and explanation performance compared to existing methods.
format Preprint
id arxiv_https___arxiv_org_abs_2405_11335
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Detecting Complex Multi-step Attacks with Explainable Graph Neural Network
Liu, Wei
Gao, Peng
Zhang, Haotian
Li, Ke
Yang, Weiyong
Wei, Xingshen
Shu, Jiwu
Cryptography and Security
Complex multi-step attacks have caused significant damage to numerous critical infrastructures. To detect such attacks, graph neural network based methods have shown promising results by modeling the system's events as a graph. However, existing methods still face several challenges when deployed in practice. First, there is a lack of sufficient real attack data especially considering the large volume of normal data. Second, the modeling of event graphs is challenging due to their dynamic and heterogeneous nature. Third, the lack of explanation in learning models undermines the trustworthiness of such methods in production environments. To address the above challenges, in this paper, we propose an attack detection method, Trace2Vec. The approach first designs an erosion function to augment rare attack samples, and integrates them into the event graphs. Next, it models the event graphs via a continuous-time dynamic heterogeneous graph neural network. Finally, it employs the Monte Carlo tree search algorithm to identify events with greater contributions to the attack, thus enhancing the explainability of the detection result. We have implemented a prototype for Trace2Vec, and the experimental evaluations demonstrate its superior detection and explanation performance compared to existing methods.
title Detecting Complex Multi-step Attacks with Explainable Graph Neural Network
topic Cryptography and Security
url https://arxiv.org/abs/2405.11335