- The paper introduces Maelstrom, a framework that synthesizes provenance graphs via a three-phase pipeline to augment intrusion detection datasets.
- It employs a heterogeneous graph synthesis model combined with LLM-based textual refinement to ensure both structural and semantic fidelity.
- An evaluation using multiple fidelity metrics shows that Maelstrom reduces false positives and improves IDS generalization against advanced threats.
Synthesizing Provenance Graphs for Data Augmentation in Intrusion Detection Systems
The paper introduces Maelstrom, an automated framework designed to synthesize provenance graphs for data augmentation in intrusion detection systems, particularly tailored for combating Advanced Persistent Threats (APTs). Provenance graphs are vital in identifying complex attack patterns, but existing systems are often hampered by the class imbalance present in real-world datasets. The framework addresses this imbalance and enhances the fidelity of generated graphs through a detailed three-phase pipeline: heterogeneous graph structure synthesis, rule-based topological refinement, and context-aware textual attribute synthesis using LLMs.
Heterogeneous Graph Synthesis
The synthesis begins with a heterogeneous graph generation model, GraphGen, which encodes graphs as DFS code sequences. This model is chosen for its ability to jointly model node and edge labels, along with structural connectivity, ensuring the preservation of both topology and semantics. A notable aspect is the scalability enhancement of GraphGen to accommodate large-scale provenance graphs, achieved through a restart-based random walk for subgraph sampling. This novel mechanism facilitates escape from local regions and captures subgraphs reflective of the overall graph structure.
Textual Attribute Synthesis
Following structural synthesis and refinement, Maelstrom enhances node names using LLMs—a technique leveraging sequence-based inputs derived via DFS transformation. This addresses LLMs' inherent difficulties with graph structures and implemented a novel masking strategy during training. By exposing the model to both fully masked and partially masked data, Maelstrom fine-tunes LLMs to generate realistic and diverse node names that improve downstream intrusion detection systems’ performance.
Evaluation Framework
Maelstrom's evaluation framework incorporates multiple fidelity metrics, including structural, textual, temporal, embedding-based, and semantic correctness evaluations. For structural fidelity, Maximum Mean Discrepancy (MMD)-based metrics are utilized. Textual fidelity is gauged through BLEU, GLEU, and ROUGE scores, while temporal sequences are analyzed using LCS and DTW metrics. The framework also introduces semantic correctness validation—a model-based approach incorporating contrastive learning techniques that incorporate negative sampling mechanisms to enhance model discrimination capabilities.
Practical Implications and Future Developments
The experimental results validate Maelstrom's ability to generate high-fidelity synthetic provenance graphs that not only improve structural and textual fidelity but also address class imbalance issues, thereby expanding the coverage of minority classes in intrusion datasets. This, in turn, enhances the generalization performance of PIDS across unseen environments. For practical utility, the paper demonstrates reduced false positives in APT detection models when trained on datasets augmented with Maelstrom-generated graphs.
Future research may explore scaling up synthesized graphs for larger provenance datasets and enhancing temporal modeling to better capture the dynamics of system behaviors. Moreover, exploring parallel processing strategies to improve text attribute synthesis efficiency could further optimize Maelstrom’s efficacy in large-scale applications. The extension of Maelstrom to other domains such as social networks and citation networks exemplifies its potential to broadly impact heterogeneous information network synthesis beyond cybersecurity applications.