多维度边优化溯源图改进的APT攻击检测方法

doi:10.3778/j.issn.1673-9418.2406068

摘要/Abstract

摘要： 考虑到高级持续性威胁（APT）的复杂特性，利用溯源图能够将系统事件以因果关系联系起来，现有研究尝试将溯源图技术应用于检测此类攻击及取证分析。针对溯源图规模爆炸、数据样本不均衡引起的过度平滑现象，以及系统事件类型过度多样化导致的关系型算法数据稀疏性问题，提出了一种多维度边优化溯源图改进的APT攻击检测方法。面向系统内核日志设计多模块化的前端解析方案，解决海量日志的溯源图建模问题，并对原有上下文语义缺失进行补全；通过边缩减优化策略的[K]阶子图采样方法关注与攻击活动相关的局部结构，将提取到的多维度边特征利用图嵌入技术学习并融合为边属性的嵌入表达；通过在图注意力网络（GAT）中引入多维度边属性与节点特征的注意力计算，并与节点间的注意力计算相融合以构建混合注意力机制。调参及消融实验结果表明，所提方法有效缩减了溯源图规模，同时具备较低的计算资源消耗与算法时间复杂度。对比实验结果验证了所提方法在数据不均衡及事件类型多样化背景下，模型的综合检测性能有较大提升，相比R-GCN等传统关系型算法，Precision、Recall和F1值分别提高5.70、4.35和5.08个百分点。

关键词: 溯源图, APT攻击检测, 图注意力网络, 边优化, 图采样

Abstract: Considering the complex nature of advanced persistent threat (APT), the utilization of provenance graphs facilitates the establishment of causal relationships among system events. Existing research endeavors to apply provenance graph techniques to the detection of such attacks and forensic analysis. In response to the issues of provenance graph scalability explosion, the over-smooth phenomenon caused by imbalanced data samples, and the data sparsity problem of relational algorithms due to the excessive diversification of system event types, an improved APT detection method based on multi-dimensional edge optimization of provenance graph is proposed. Firstly, a multi-modular front-end parsing scheme is designed for system kernel logs to address the provenance graph modeling issue in the face of massive log data, and to complement the missing contextual semantics in the original data. Subsequently, a K-hop subgraph sampling method incorporating an edge reduction optimization strategy is employed to focus on the local structures related to attack activities. The multi-dimensional edge features extracted are then leveraged using graph embedding techniques to learn and integrate into an embedded representation of edge attributes. Finally, by introducing the attention computation of multi-dimensional edge attributes and node features within the graph attention networks (GAT), and merging it with the inter-node attention calculations, a hybrid attention mechanism is constructed. The results of hyperparameter tuning and ablation experiments indicate that the proposed method effectively reduces the scale of the provenance graph, concurrently achieving lower computational resource consumption and algorithmic time complexity. Comparative experimental results validate that under conditions of data imbalance and diverse event types, the comprehensive detection performance of the model is significantly enhanced. Compared with traditional relational algorithms such as R-GCN, the Precision, Recall, and F1 scores of the proposed method are improved by 5.70, 4.35 and 5.08 percentage points respectively.

Key words: provenance graph, APT detection, graph attention networks, edge optimization, graph sampling

何厚翰, 芦天亮, 张岚泽, 袁梦娇, 曾高俊. 多维度边优化溯源图改进的APT攻击检测方法[J]. 计算机科学与探索, 2025, 19(6): 1640-1655.

HE Houhan, LU Tianliang, ZHANG Lanze, YUAN Mengjiao, ZENG Gaojun. Improved APT Detection with Multi-dimensional Edge Optimization in Provenance Graph[J]. Journal of Frontiers of Computer Science and Technology, 2025, 19(6): 1640-1655.

参考文献

[1] GHAFIR I, HAMMOUDEH M, PRENOSIL V, et al. Detection of advanced persistent threat using machine-learning correlation analysis[J]. Future Generation Computer Systems, 2018, 89: 349-359.
[2] LI Z Y, CHEN Q A, YANG R Q, et al. Threat detection and investigation with system-level provenance graphs: a survey[J]. Computers & Security, 2021, 106: 102282.
[3] CHEN T M, DONG C Y, LV M Q, et al. APT-KGL: an intelligent APT detection system based on threat knowledge and heterogeneous provenance graph learning[J]. IEEE Transactions on Dependable and Secure Computing, 2022(1): 1-15.
[4] LI Q M, HAN Z C, WU X M. Deeper insights into graph convolutional networks for semi-supervised learning[J]. Proceedings of the AAAI Conference on Artificial Intelligence, 2018, 32(1): 3538-3545.
[5] HOSSAIN M N, MILAJERDI S M, WANG J, et al. SLEUTH: real-time attack scenario reconstruction from COTS audit data[C]//Proceedings of the 26th USENIX Security Symposium, 2017: 487-504.
[6] MILAJERDI S M, GJOMEMO R, ESHETE B, et al. HOLMES: real-time APT detection through correlation of suspicious information flows[C]//Proceedings of the 2019 IEEE Symposium on Security and Privacy. Piscataway: IEEE, 2019: 1137-1152.
[7] HOSSAIN M N, SHEIKHI S, SEKAR R. Combating dependence explosion in forensic analysis using alternative tag propagation semantics[C]//Proceedings of the 2020 IEEE Symposium on Security and Privacy. Piscataway: IEEE, 2020: 1139-1155.
[8] MANZOOR E, MILAJERDI S M, AKOGLU L. Fast memory-efficient anomaly detection in streaming heterogeneous graphs[C]//Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York: ACM, 2016: 1035-1044.
[9] MILAJERDI S M, ESHETE B, GJOMEMO R, et al. POIROT: aligning attack behavior with kernel audit records for cyber threat hunting[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2019: 1795-1812.
[10] ALSAHEEL A, NAN Y, MA S, et al. A sequence-based learning approach for attack investigation[C]//Proceedings of the 30th Security Symposium, 2021: 3005-3022.
[11] LIU F C, WEN Y, ZHANG D X, et al. Log2vec: a heterogeneous graph embedding based approach for detecting cyber threats within enterprise[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2019: 1777-1794.
[12] DENG D. DBSCAN clustering algorithm based on density[C]//Proceedings of the 2020 7th International Forum on Electrical Engineering and Automation. Piscataway: IEEE, 2020: 949-953.
[13] HAN X Y, PASQUIER T, BATES A, et al. UNICORN: runtime provenance-based detector for advanced persistent threats[EB/OL]. [2024-03-16]. https://arxiv.org/abs/2001.01525.
[14] SHERVASHIDZE N, SCHWEITZER P, VAN LEEUWEN E J, et al. Weisfeiler-Lehman graph kernels[J]. Journal of Machine Learning Research, 2011, 12(9): 2539-2561.
[15] WU Z H, PAN S R, CHEN F W, et al. A comprehensive survey on graph neural networks[J]. IEEE Transactions on Neural Networks and Learning Systems, 2021, 32(1): 4-24.
[16] ZHAO J, YAN Q B, LIU X D, et al. Cyber threat intelligence modeling based on heterogeneous graph convolutional network[C]//Proceedings of the 23rd International Symposium on Research in Attacks, Intrusions and Defenses, 2020: 241-256.
[17] BURGER E W, GOODMAN M D, KAMPANAKIS P, et al. Taxonomy model for cyber threat intelligence information exchange technologies[C]//Proceedings of the 2014 ACM Workshop on Information Sharing & Collaborative Security. New York: ACM, 2014: 51-60.
[18] 董程昱, 吕明琪, 陈铁明, 等. 基于异构溯源图学习的APT攻击检测方法[J]. 计算机科学, 2023, 50(4): 359-368.
DONG C Y, LYU M Q, CHEN T M, et al. Heterogeneous provenance graph learning model based APT detection[J]. Computer Science, 2023, 50(4): 359-368.
[19] WANG X, JI H Y, SHI C, et al. Heterogeneous graph attention network[C]//Proceedings of the 2019 World Wide Web Conference. New York: ACM, 2019: 2022-2032.
[20] VELI?KOVI? P, CUCURULL G, CASANOVA A, et al. Graph attention networks[C]//Proceedings of the 6th International Conference on Learning Representations, 2018.
[21] KIPF T N, WELLING M. Semi-supervised classification with graph convolutional networks[EB/OL]. [2024-03-16]. https://arxiv.org/abs/1609.02907.
[22] WANG K, SHEN W Z, YANG Y Y, et al. Relational graph attention network for aspect-based sentiment analysis[EB/OL]. [2024-03-16]. https://arxiv.org/abs/2004.12362.
[23] SCHLICHTKRULL M, KIPF T N, BLOEM P, et al. Modeling relational data with graph convolutional networks[C]//Proceedings of the 15th International Conference on the Semantic Web. Cham: Springer, 2018: 593-607.
[24] XU K, LI C, TIAN Y, et al. Representation learning on graphs with jumping knowledge networks[C]//Proceedings of the 35th International Conference on Machine Learning, 2018: 5453-5462.
[25] AHMED Y, ASYHARI A T, ARAFATUR RAHMAN M. A cyber kill chain approach for detecting advanced persistent threats[J]. Computers, Materials & Continua, 2021, 67(2): 2497-2513.
[26] CORTES C, VAPNIK V. Support-vector networks[J]. Machine Learning, 1995, 20: 273-297.
[27] HU Z, DONG Y, WANG K, et al. Heterogeneous graph transformer[C]//Proceedings of the Web Conference 2020. New York: ACM, 2020: 2704-2710.
[28] HU L M, YANG T C, SHI C, et al. Heterogeneous graph attention networks for semi-supervised short text classification[C]//Proceedings of the 2019 Conference on Empirical Methods in Natural Language Processing and the 9th International Joint Conference on Natural Language Processing. Stroudsburg: ACL, 2019: 4821-4830.
[29] HAMILTON W L, YING R, LESKOVEC J. Inductive representation learning on large graphs[EB/OL]. [2024-03-18]. https://arxiv.org/abs/1706.02216.
[30] WANG S, WANG Z L, ZHOU T, et al. THREATRACE: detecting and tracing host-based threats in node level through provenance graph learning[J]. IEEE Transactions on Information Forensics and Security, 2022, 17: 3972-3987.
[31] WANG Q, HASSAN W U, LI D, et al. You are what you do: hunting stealthy malware via data provenance analysis[C]//Proceedings of the 2020 Network and Distributed System Security Symposium, 2020.
[32] YING R, BOURGEOIS D, YOU J X, et al. GNNExplainer: generating explanations for graph neural networks[C]//Advances in Neural Information Processing Systems 32, 2019: 9240-9251.