STGAN: Detecting Host Threats via Fusion of Spatial-Temporal Features in Host Provenance Graphs
Track: Security and privacy
Keywords: Network Security, Host Provenance Graph, Graph Anomaly Detection
TL;DR: We propose a novel anomaly detection method that first introduces spatial temporal graphs into provenance-based detection, enabling multi-dimensional feature extraction and fusion to significantly improve detection performance for cyberattacks.
Abstract: As the complexity and frequency of cyberattacks, such as Advanced Persistent Threats (APTs) and ransomware, continue to escalate, traditional anomaly detection methods have proven inadequate in addressing these sophisticated, multi-faceted threats. Recently, Host Provenance Graphs (HPGs) have played a crucial role in analyzing system-level interactions, detecting anomalous behaviors, and tracing attack chains. However, existing provenance-based detection methods primarily rely on single-dimensional feature analysis, which fails to capture the dynamic and multi-dimensional patterns of modern APT attacks, resulting in insufficient detection performance. To overcome this limitation, we introduce STGAN, a model that integrates spatial-temporal graphs into host provenance graph modeling. STGAN applies temporal and spatial encoding to dynamic provenance graphs to extract temporal, spatial, and semantic features, constructing a comprehensive feature representation. This representation is further fused and enhanced using a multi-head self-attention mechanism, followed by anomaly detection. Through extensive evaluations on three widely-used provenance graph datasets, we demonstrate that our approach consistently outperforms current state-of-the-art techniques in terms of detection performance. Additionally, we contribute to the research community by releasing our datasets and code, facilitating further exploration and validation.
Submission Number: 843
Loading