Using Graph With Interconnection Intervals Embedding to Discover Potential Threats in the Network

Download PDF
Open Webpage

Xiaorong Hao, Bo Liu, Xiangguo Sun, Jiuxin Cao, Ding Zhou, Xinwen Fu

Published: 2025, Last Modified: 28 Nov 2025IEEE Trans. Ind. Informatics 2025EveryoneRevisionsBibTeXCC BY-SA 4.0
Abstract: Gradually infiltrating through latent malicious connections to form cyberattacks has become a significant threat in cyberspace. Advanced persistent threats (APTs) are such cyberattacks, where intruders maintain a presence on networks to steal secrets. Detecting APTs by comparing user behavior with normal activity is challenging because attackers often mimic legitimate behavior sequences to evade detection. This article detects APTs by modeling the graph with interconnection intervals embedding to weaken attackers’ mimicry, named CyberProber. We first construct an attack intent graph (AIG) to scale down the original network, while preserving key suspicious paths. Then, we embed the AIG by learning connection representations with interconnection interval features, capturing both structural and temporal dependencies. In this way, we can detect APTs in the small AIG, and further uncover more anomalies in the original network based on the identified compromised nodes in the AIG. Our experiments demonstrate that CyberProber outperforms baselines in APTs detection.