关键词: 溯源图, APT攻击检测, 图注意力网络, 边缩减优化, 图采样

Abstract: Considering the complex nature of advanced persistent threat (APT), the utilization of provenance graphs facilitates the establishment of causal relationships among system events. Existing research endeavors to apply provenance graph techniques to the detection of such attacks and forensic analysis. In response to the issues of provenance graph scalability explosion, the over-smooth phenomenon caused by imbalanced data samples, and the data sparsity problem of relational algorithms due to the excessive diversification of system event types, an improved APT detection method based on multi-dimensional edge optimization of provenance graph is proposed. Firstly, a multi-modular front-end parsing scheme is designed for system kernel logs to address the provenance graph modeling issue in the face of massive log data, and to complement the missing contextual semantics in the original data. Subsequently, a K-hop subgraph sampling method incorporating an edge reduction optimization strategy is employed to focus on the local structures related to attack activities. The multi-dimensional edge features extracted are then leveraged using graph embedding techniques to learn and integrate into an embedded representation of edge attributes. Finally, by introducing the attention computation of multi-dimensional edge attributes and node features within the Graph Attention Networks (GAT), and merging it with the inter-node attention calculations, a hybrid attention mechanism is constructed. The results of hyperparameter tuning and ablation experiments indicate that the proposed method effectively reduces the scale of the provenance graph, concurrently achieving lower computational resource consumption and algorithmic time complexity. Comparative experimental results validate that under conditions of data imbalance and diverse event types, the comprehensive detection performance of the model is significantly enhanced. Compared to traditional relational algorithms such as R-GCN, the Precision, Recall, and F1 scores of the proposed method are improved by 5.70%, 4.35%, and 5.08%, respectively.

Key words: provenance graph, APT detection, graph attention networks, edge optimization, graph sampling