Advanced Persistent Threats (APTs) pose significant challenges to cybersecurity due to their stealth and persistence. Provenance-based intrusion detection methods address this by first modeling historical system activities using audit logs, and then identifying diverse APT patterns through contextual analysis. Given the scarcity of labeled APT data, recent studies have adopted self-supervised learning methods to capture benign system behaviors, and then detect anomalies as deviations from learned normal patterns. However, existing methods struggle to distinguish sophisticated benign activities from attack patterns due to their limited semantic understanding of system behaviors. In this paper, we introduce TRAP, an anomaly detection system that employs multi-scale training strategies to optimize provenance graph representations for enhanced attack detection. First, a node-level feature reconstruction task is designed to extract fine-grained node semantics within system behaviors. Second, a contrastive learning technique is employed to align the edge- and graph-level contextual semantics across diverse augmented provenance graph views, fostering a more comprehensive representation of behavioral patterns. Third, to bolster the efficacy of contrastive learning, we devise a tailored graph augmentation strategy that exploits the temporal evolution dynamics of the provenance graph to produce multiple augmented views that balance semantic consistency and diversity. Extensive experiments demonstrate that TRAP outperforms existing APT detection systems. Code is available at: https://github.com/xueboQiu/TRAP .

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Provenance-Based Intrusion Detection via Multi-scale Graph Representation Learning

  • Xuebo Qiu,
  • Mingqi Lv,
  • Tieming Chen,
  • Tiantian Zhu,
  • Qijie Song

摘要

Advanced Persistent Threats (APTs) pose significant challenges to cybersecurity due to their stealth and persistence. Provenance-based intrusion detection methods address this by first modeling historical system activities using audit logs, and then identifying diverse APT patterns through contextual analysis. Given the scarcity of labeled APT data, recent studies have adopted self-supervised learning methods to capture benign system behaviors, and then detect anomalies as deviations from learned normal patterns. However, existing methods struggle to distinguish sophisticated benign activities from attack patterns due to their limited semantic understanding of system behaviors. In this paper, we introduce TRAP, an anomaly detection system that employs multi-scale training strategies to optimize provenance graph representations for enhanced attack detection. First, a node-level feature reconstruction task is designed to extract fine-grained node semantics within system behaviors. Second, a contrastive learning technique is employed to align the edge- and graph-level contextual semantics across diverse augmented provenance graph views, fostering a more comprehensive representation of behavioral patterns. Third, to bolster the efficacy of contrastive learning, we devise a tailored graph augmentation strategy that exploits the temporal evolution dynamics of the provenance graph to produce multiple augmented views that balance semantic consistency and diversity. Extensive experiments demonstrate that TRAP outperforms existing APT detection systems. Code is available at: https://github.com/xueboQiu/TRAP .