Advanced Persistent Threats (APTs) pose a serious threat to the security of critical infrastructure and increase the risk of sensitive data leakage. They employ sophisticated techniques to evade detection and thus may bypass defense mechanisms. Current provenance-based methods have yielded promising results in APT detection and investigation, but they still face significant challenges. They rely heavily on prior knowledge, struggle to accurately trace the long-duration propagation of malicious events, and are deficient in attack scenario analysis. To address these challenges, we propose GET-AID, a Graph-Enhanced Transformer for provenance-based Attack Investigation and Detection, which requires no prior knowledge. First, we construct subgraphs from event sequences based on their temporal relationships to enable long-duration node-level tracking. Second, we introduce a two-stage graph encoder that leverages node-level and event-level attention mechanisms to capture the relationships across the subgraphs. Finally, GET-AID identifies anomalous events and generate attack scenarios across subgraphs by tracing associated nodes across subgraphs. Experimental results on multiple real-world APT datasets demonstrate the effectiveness of the proposed GET-AID, achieving precision, recall, and F1-scores of 100% in open-source datasets and approaching 100% in others. Furthermore, results from attack scenario reconstruction, performance overhead analysis, and continuous training validate the end-to-end usability and attack analysis capabilities of the GET-AID framework.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

GET-AID: Graph-Enhanced Transformer for Provenance-Based Advanced Persistent Threats Investigation and Detection

  • Zhicheng Huang,
  • Fengyuan Xu,
  • Jiahong Yang,
  • Wenting Li,
  • Zonghua Zhang,
  • Chenbin Zhang,
  • Meng Ma,
  • Ping Wang

摘要

Advanced Persistent Threats (APTs) pose a serious threat to the security of critical infrastructure and increase the risk of sensitive data leakage. They employ sophisticated techniques to evade detection and thus may bypass defense mechanisms. Current provenance-based methods have yielded promising results in APT detection and investigation, but they still face significant challenges. They rely heavily on prior knowledge, struggle to accurately trace the long-duration propagation of malicious events, and are deficient in attack scenario analysis. To address these challenges, we propose GET-AID, a Graph-Enhanced Transformer for provenance-based Attack Investigation and Detection, which requires no prior knowledge. First, we construct subgraphs from event sequences based on their temporal relationships to enable long-duration node-level tracking. Second, we introduce a two-stage graph encoder that leverages node-level and event-level attention mechanisms to capture the relationships across the subgraphs. Finally, GET-AID identifies anomalous events and generate attack scenarios across subgraphs by tracing associated nodes across subgraphs. Experimental results on multiple real-world APT datasets demonstrate the effectiveness of the proposed GET-AID, achieving precision, recall, and F1-scores of 100% in open-source datasets and approaching 100% in others. Furthermore, results from attack scenario reconstruction, performance overhead analysis, and continuous training validate the end-to-end usability and attack analysis capabilities of the GET-AID framework.