Chaos: Robust Spatio-Temporal Fusion for Generalizable APT Provenance Tracing
摘要
As Advanced Persistent Threat (APT) attacks continue to evolve, critical information infrastructure faces increasingly severe security risks. Log-based provenance detection systems have become an effective defense mechanism. However, despite addressing many issues, existing solutions still exhibit several notable shortcomings: 1) they require attack information and expert knowledge, 2) they struggle to manage large-scale provenance graphs composed of massive data, 3) they insufficiently capture long-distance contextual dependencies within provenance graphs, and 4) they cannot adapt to benign changes in system behavior. To address these challenges, we propose Chaos, an intrusion detection system (IDS) that balances behavioral structures and temporal dependencies. Specifically, Chaos employs a soft segmentation strategy for large-scale provenance graphs, effectively extracting sub-events while preserving event structures. It then utilizes Graph Neural Networks (GNNs) to learn system behavior structures and combines Long Short-Term Memory (LSTM) networks to capture temporal dependencies between entities. Finally, it implements anomaly detection using a lightweight classifier and further suppresses false positives through the Elastic Weight Consolidation (EWC) mechanism. Evaluated across multiple real-world datasets, Chaos demonstrates exceptional detection accuracy, significantly reduces false alarms, and exhibits a degree of resistance against adversarial attacks.