Detecting APT-Exploited Processes through Semantic Fusion and Interaction Prediction  

作　　者：Bin Luo Liangguo Chen Shuhua Ruan Yonggang Luo 

机构地区：[1]School of Cyber Science and Engineering,Sichuan University,Chengdu,610065,China [2]Key Laboratory of Data Protection and Intelligent Management(Sichuan University),Ministry of Education,Chengdu,610065,China [3]Cyber Science Research Institute,Sichuan University,Chengdu,610065,China

出　　处：《Computers, Materials & Continua》2024年第2期1731-1754,共24页计算机、材料和连续体（英文）

基　　金：This work was supported by the National Natural Science Foundation of China(Nos.U19A2081,62202320);the Fundamental Research Funds for the Central Universities(Nos.2022SCU12116,2023SCU12129,2023SCU12126);the Science and Engineering Connotation Development Project of Sichuan University(No.2020SCUNG129);the Key Laboratory of Data Protection and Intelligent Management(Sichuan University),Ministry of Education.

摘　　要：Considering the stealthiness and persistence of Advanced Persistent Threats(APTs),system audit logs are leveraged in recent studies to construct system entity interaction provenance graphs to unveil threats in a host.Rule-based provenance graph APT detection approaches require elaborate rules and cannot detect unknown attacks,and existing learning-based approaches are limited by the lack of available APT attack samples or generally only perform graph-level anomaly detection,which requires lots of manual efforts to locate attack entities.This paper proposes an APT-exploited process detection approach called ThreatSniffer,which constructs the benign provenance graph from attack-free audit logs,fits normal system entity interactions and then detects APT-exploited processes by predicting the rationality of entity interactions.Firstly,ThreatSniffer understands system entities in terms of their file paths,interaction sequences,and the number distribution of interaction types and uses the multi-head self-attention mechanism to fuse these semantics.Then,based on the insight that APT-exploited processes interact with system entities they should not invoke,ThreatSniffer performs negative sampling on the benign provenance graph to generate non-existent edges,thus characterizing irrational entity interactions without requiring APT attack samples.At last,it employs a heterogeneous graph neural network as the interaction prediction model to aggregate the contextual information of entity interactions,and locate processes exploited by attackers,thereby achieving fine-grained APT detection.Evaluation results demonstrate that anomaly-based detection enables ThreatSniffer to identify all attack activities.Compared to the node-level APT detection method APT-KGL,ThreatSniffer achieves a 6.1%precision improvement because of its comprehensive understanding of entity semantics.

关 键 词：Advanced persistent threat provenance graph multi-head self-attention graph neural network 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]