GET-AID: Graph-Enhanced Transformer for Provenance-Based Advanced Persistent Threats Investigation and Detection
摘要
Advanced Persistent Threats (APTs) pose a serious threat to the security of critical infrastructure and increase the risk of sensitive data leakage. They employ sophisticated techniques to evade detection and thus may bypass defense mechanisms. Current provenance-based methods have yielded promising results in APT detection and investigation, but they still face significant challenges. They rely heavily on prior knowledge, struggle to accurately trace the long-duration propagation of malicious events, and are deficient in attack scenario analysis. To address these challenges, we propose GET-AID, a Graph-Enhanced Transformer for provenance-based Attack Investigation and Detection, which requires no prior knowledge. First, we construct subgraphs from event sequences based on their temporal relationships to enable long-duration node-level tracking. Second, we introduce a two-stage graph encoder that leverages node-level and event-level attention mechanisms to capture the relationships across the subgraphs. Finally, GET-AID identifies anomalous events and generate attack scenarios across subgraphs by tracing associated nodes across subgraphs. Experimental results on multiple real-world APT datasets demonstrate the effectiveness of the proposed GET-AID, achieving precision, recall, and F1-scores of 100% in open-source datasets and approaching 100% in others. Furthermore, results from attack scenario reconstruction, performance overhead analysis, and continuous training validate the end-to-end usability and attack analysis capabilities of the GET-AID framework.