Go to DBLP homepageLLMGraph: Label-Free Detection Against APTs in Edge Networks via LLM and GCN
Abstract: In the growing trend of remote working, millions of edge networks (e.g., homes or branch offices) are increasingly threatened by Advanced Persistent Threats (APTs), because of the weakened segmentation between business and non-business devices in remote working environment. Despite the fact that numerous APT detection mechanisms have been proposed, all of them are struggling to handle the complex structure, the massive scale and the diverse topology of edge networks. Can recent machine-learning advances tackle these APT detection pain points in edge networks? The GNNs (Graph Neural Networks) seems to be suited to capture the complex structure, but its adjacency matrix fails to capture key network flow context. Additionally, GNNs require extensive manual labeling, which is not scalable. LLMs (Large Language Models) have the potential to provide automatic labeling for the GNNs, but they lack the supplementary security context needed for effective labeling. To address these gaps, we present LLMGraph, which incorporates extended GCNs (Graph Convolutional Networks) and domain-specific RAG (Retrieval-Augmented Generation) pipeline to achieve label-free detection against APTs in edge networks. LLMGraph’s extended GCNs model can capture network flow context and direction. LLMGraph’s domain-specific RAG pipeline can supplement key security contexts, including device vulnerability and network flow, for effective labeling. Additionally, LLMGraph provides an LLM aggregator to augment and merge the diverse topology of the edge networks. Compared to the state-of-the-art mechanisms, LLMGraph proves effective and scalable, improving the F1-score by at least 46.9%, and the training time for 1 million edge networks is within 1000 s.
External IDs:dblp:journals/tdsc/YuLWY25
Loading