| Authors | Zehui Wang, Dan Du, Yinhao Qi, Wenhao Yan, Xiaobo Yang, Bo Jiang, Zhigang Lu |
|---|---|
| Institution | Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences |
# Abstract
As cloud computing and mobile work blur traditional network boundaries, security measures like static firewalls and signature-based systems are becoming inadequate. Audit logs contain fine-grained OS-level information, but due to their vast volume and the complex relationships between entities, processing and analyzing them remains a significant challenge.
In this paper, we introduce MPKAN, a new method for detecting APT attacks, which enhances the information input of nodes and edges, integrates node-level and edge-level information, and improves graph-level semantics. It uses meta-path random walks to enhance semantic connections between nodes, merges multiple edges in the provenance graph into a single edge while retaining the original edge information and operation sequence relationships, and by associating heterogeneous graph neighbors, utilizing the message passing mechanism to iteratively update states based on neighbor node information, and using a knowledge association network to integrate node-level and edge-level information, we can effectively capture local and global structural information in the graph. MPKAN’s evaluations on the ATLAS and DARPA datasets demonstrate its excellent performance in complex attack scenarios, achieving an average accuracy of 0.9899 and an F1 score of 0.9853, confirming its effectiveness and efficiency.
# Download
# Citation
|
|