Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
120 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

ProvG-Searcher: A Graph Representation Learning Approach for Efficient Provenance Graph Search (2309.03647v2)

Published 7 Sep 2023 in cs.CR

Abstract: We present ProvG-Searcher, a novel approach for detecting known APT behaviors within system security logs. Our approach leverages provenance graphs, a comprehensive graph representation of event logs, to capture and depict data provenance relations by mapping system entities as nodes and their interactions as edges. We formulate the task of searching provenance graphs as a subgraph matching problem and employ a graph representation learning method. The central component of our search methodology involves embedding of subgraphs in a vector space where subgraph relationships can be directly evaluated. We achieve this through the use of order embeddings that simplify subgraph matching to straightforward comparisons between a query and precomputed subgraph representations. To address challenges posed by the size and complexity of provenance graphs, we propose a graph partitioning scheme and a behavior-preserving graph reduction method. Overall, our technique offers significant computational efficiency, allowing most of the search computation to be performed offline while incorporating a lightweight comparison step during query execution. Experimental results on standard datasets demonstrate that ProvG-Searcher achieves superior performance, with an accuracy exceeding 99% in detecting query behaviors and a false positive rate of approximately 0.02%, outperforming other approaches.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (86)
  1. ATLAS: A Sequence-based Learning Approach for Attack Investigation. In USENIX Security Symposium.
  2. Ben Athiwaratkun and Andrew Gordon Wilson. 2018. Hierarchical density order embeddings. arXiv preprint arXiv:1804.09843 (2018).
  3. MITRE ATT&CK. 2021. MITRE ATT&CK. https://attack.mitre.org. Accessed: February 28, 2023.
  4. Accurate learning of graph representations with graph multiset pooling. arXiv preprint arXiv:2102.11533.
  5. Simgnn: A neural network approach to fast graph similarity computation. In WSDM.
  6. Trustworthy whole-system provenance for the linux kernel. In USENIX Security Symposium. 319–334.
  7. A Survey on Malware Detection with Graph Representation Learning. arXiv preprint arXiv:2303.16004 (2023).
  8. Graph representation learning: a survey. APSIPA (2020), e15.
  9. One-class order embedding for dependency relation prediction. In ACM SIGIR. 205–214.
  10. Cluster-gcn: An efficient algorithm for training deep and large graph convolutional networks. In SIGKDD. 257–266.
  11. DARPA. 2014. Transparent Computing. http://www.darpa.mil/program/transparent-computing.
  12. LMKG: Learned Models for Cardinality Estimation in Knowledge Graphs. arXiv preprint arXiv:2102.10588 (2021).
  13. Ashita Diwan. 2021. Representation Learning for Vulnerability Detection on Assembly Code. McGill University (Canada).
  14. {{\{{Back-Propagating}}\}} System Dependency Impact for Attack Investigation. In USENIX Security Symposium. 2461–2478.
  15. SEAL: Storage-efficient Causality Analysis on Enterprise Logs with Query-friendly Compression.. In USENIX Security Symposium. 2987–3004.
  16. Fidelis. 2013. fta-1009—njrat-uncovered-1.pdf — Box Destekli. https://app.box.com/s/vdg51zbfvap52w60zj0is3l1dmyya0n4. (Accessed on 08/13/2023).
  17. Fortinet. 2019. Analysis of a New HawkEye Variant. https://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis. (Accessed on 08/13/2023).
  18. Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence. In ICDE. 193–204.
  19. Inductive Representation Learning on Large Graphs. In NIPS.
  20. Representation Learning on Graphs: Methods and Applications. IEEE Data Eng. Bull. (2017).
  21. Unicorn: Runtime provenance-based detector for advanced persistent threats. arXiv preprint arXiv:2001.01525 (2020).
  22. Towards scalable cluster auditing through grammatical inference over provenance graphs. In NDSS.
  23. Tactical provenance analysis for endpoint detection and response systems. In S&P. 1172–1189.
  24. Nodoze: Combatting threat alert fatigue with automated provenance triage. In NDSS.
  25. This is why we can’t cache nice things: Lightning-fast threat hunting using suspicion-based hierarchical storage. In ACSAC. 165–178.
  26. OmegaLog: High-fidelity attack investigation via transparent multi-layer log analysis. In NDSS.
  27. SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data.. In USENIX Security Symposium. 487–504.
  28. Combating dependence explosion in forensic analysis using alternative tag propagation semantics. In S&P. 1139–1155.
  29. Dependence-preserving data compaction for scalable forensic analysis. In USENIX Security Symposium. 1723–1740.
  30. Heterogeneous graph transformer. In Proceedings of The Web Conference 2020. 2704–2710.
  31. Tackling over-smoothing for general graph convolutional networks. arXiv preprint arXiv:2008.09864 (2020).
  32. Kaspersky. 2015. Carbanak_APT_eng.pdf. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf. (Accessed on 08/13/2023).
  33. Nema: Fast graph search with label similarity. VLDB Endowment 6, 181–192.
  34. Samuel T King and Peter M Chen. 2003. Backtracking intrusions. In SOSP. 223–236.
  35. T. Kipf and M. Welling. 2017. Semi-Supervised Classification with Graph Convolutional Networks. In ICLR.
  36. MCI: Modeling-based Causality Inference in Audit Logging for Attack Investigation. In NDSS. 4.
  37. Sub-gmn: The subgraph matching network model. arXiv preprint arXiv:2104.00186.
  38. High Accuracy Attack Provenance via Binary-based Execution Partition. In NDSS, Vol. 16.
  39. LogGC: garbage collecting audit log. In SIGSAC. 1005–1016.
  40. Graph matching networks for learning the similarity of graph structured objects. In ICML. 3835–3845.
  41. A hierarchical approach for advanced persistent threat detection with attention-based graph neural networks. Security and Communication Networks 2021 (2021), 1–14.
  42. IsoRankN: spectral methods for global alignment of multiple protein networks. Bioinformatics 12, i253–i258.
  43. Log2vec: A heterogeneous graph embedding based approach for detecting cyber threats within enterprise. In SIGSAC. 1777–1794.
  44. G-finder: Approximate attributed subgraph matching. In IEEE BigData. 513–522.
  45. Towards a Timely Causality Analysis for Enterprise Security.. In NDSS.
  46. Neural subgraph matching. arXiv preprint arXiv:2007.03092.
  47. Andreas Loukas. 2019. What graph neural networks cannot learn: depth vs width. arXiv preprint arXiv:1907.03199 (2019).
  48. A fast projected fixed-point algorithm for large graph matching. Pattern Recognition, 971–982.
  49. MPI: Multiple Perspective Attack Investigation with Semantic Aware Execution Partitioning. In USENIX Security Symposium. 1111–1128.
  50. Protracer: Towards Practical Provenance Tracing by Alternating Between Logging and Tainting. In NDSS.
  51. Fast memory-efficient anomaly detection in streaming heterogeneous graphs. In SIGKDD. 1035–1044.
  52. On the forensic validity of approximated audit logs. In ACSAC. 189–202.
  53. Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting. In SIGSAC. 1795–1812.
  54. Holmes: real-time apt detection through correlation of suspicious information flows. In S&P. 1137–1152.
  55. The open provenance model: An overview. In IPAW. 323–326.
  56. Kiran-Kumar Muniswamy-Reddy and Margo Seltzer. 2010. Provenance as first class cloud data. SIGOPS (2010), 11–16.
  57. Practical whole-system provenance capture. In SoCC. 405–418.
  58. Hercule: Attack story reconstruction via community discovery on correlated log graph. In ACSAC. 583–595.
  59. Mage: Matching approximate patterns in richly-attributed graphs. In IEEE BigData. 585–590.
  60. Interpretable Neural Subgraph Matching for Graph Retrieval. In AAAI, Vol. 36. 8115–8123.
  61. Extractor: Extracting attack behavior from threat reports. In EuroS&P. 598–615.
  62. The graph neural network model. IEEE transactions on neural networks 20, 61–80.
  63. Modeling relational data with graph convolutional networks. In ESWC 2018. 593–607.
  64. Inspector: data provenance using intel processor trace (pt). In ICDCS. 25–34.
  65. SAGA: a subgraph matching tool for biological graphs. Bioinformatics 23, 232–239.
  66. Fast best-effort pattern matching in large attributed graphs. In SIGKDD. 737–746.
  67. Jacob Torrey. 2020. Transparent Computing Engagement 3 Data Release. https://www.darpa.mil/program/transparent-computing
  68. Graph Attention Networks. In ICLR.
  69. Order-embeddings of images and language. arXiv preprint arXiv:1511.06361.
  70. Probabilistic embedding of knowledge graphs with box lattice measures. arXiv preprint arXiv:1805.06627 (2018).
  71. You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis.. In NDSS.
  72. Threatrace: Detecting and tracing host-based threats in node level through provenance graph learning. TIFS 17 (2022), 3972–3987.
  73. Deephunter: A graph neural network based approach for robust cyber threat hunting. In SecureComm. Springer, 3–24.
  74. Relation-aware entity alignment for heterogeneous knowledge graphs. arXiv preprint arXiv:1908.08210 (2019).
  75. Pagoda: A hybrid approach to enable efficient real-time provenance based intrusion detection in big data environments. IEEE TDSC 17, 1283–1296.
  76. CONAN: A practical real-time APT detection system with high accuracy and efficiency. IEEE TDSC 19, 1, 551–565.
  77. How powerful are graph neural networks? arXiv preprint arXiv:1810.00826 (2018).
  78. Cross-lingual knowledge graph alignment via graph matching neural network. arXiv preprint arXiv:1905.11605 (2019).
  79. Depcomm: Graph summarization on system audit logs for attack investigation. In S&P. 540–557.
  80. High fidelity data reduction for big data security dependency analyses. In SIGSAC. 504–516.
  81. Decoupling the depth and scope of graph neural networks. NeurIPS (2021), 19665–19679.
  82. Graphsaint: Graph sampling based inductive learning method. arXiv preprint arXiv:1907.04931 (2019).
  83. WATSON: Abstracting Behaviors from Audit Logs via Aggregation of Contextual Semantics.. In NDSS.
  84. Shadewatcher: Recommendation-guided cyber threat analysis using system audit records. In S&P. 489–506.
  85. APTSHIELD: A Stable, Efficient and Real-time APT Detection System for Linux Hosts. IEEE TDSC.
  86. Behavior query discovery in system-generated temporal graphs. arXiv preprint arXiv:1511.05911 (2015).
Citations (8)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now