Go to DBLP homepageTrace2Vec: Detecting complex multi-step attacks with explainable graph neural network
Abstract: Complex multi-step attacks have caused significant damage to numerous critical infrastructures. Recognizing the pattern of such attacks is a challenging task, and graph neural network based methods have shown promising results via modeling the system’s events as a graph. However, existing methods still face several limitations when deployed in practice. First, there is a lack of sufficient real attack data especially considering the large volume of normal data. Second, attack patterns are complex and evolve over time due to the dynamic and heterogeneous nature of events. Third, the lack of explanation in learned models undermines the trustworthiness of such methods in production environments. To address the above challenges, in this paper, we propose an attack detection method, Trace2Vec. The approach first designs an corruption function to augment rare attack samples, and integrates them into the event graphs. Next, it models the event graphs via a continuous-time dynamic heterogeneous graph neural network. Finally, it employs the Monte Carlo tree search algorithm to identify events with greater contributions to the attack, thus enhancing the explainability of the detection result. We have implemented a prototype for Trace2Vec, and the experimental evaluations demonstrate its superior detection and explanation performance compared to existing methods.
Loading