# Abstract

Advanced Persistent Threats (APTs) are continuously evolving, leveraging their stealthiness and persistence to put increasing pressure on current provenance-based Intrusion Detection Systems (IDS). This evolution exposes several critical issues: (1) The dense interaction between malicious and benign nodes within provenance graphs introduces neighbor noise, hindering effective detection; (2) The complex prediction mechanisms of existing APTs detection models lead to the insufficient utilization of prior knowledge embedded in the data; (3) The high computational cost makes detection impractical.

To address these challenges, we propose Vodka, a lightweight threat detection system built on a knowledge distillation framework, capable of node-level detection within audit log provenance graphs. Specifically, Vodka applies graph Laplacian regularization to reduce neighbor noise, obtaining smoothed and denoised graph signals. Subsequently, Vodka employs a teacher model based on GNNs to extract knowledge, which is then distilled into a lightweight student model. The student model is designed as a combination of a feature transformation module and a personalized PageRank random walk, enabling efficient inference without neighbor aggregation overhead.

# Download

📄 Download PDF

# Citation

1
2
3
4
5
6
7

@inproceedings{wu2025vodka,
  title={Brewing Vodka: Distilling Pure Knowledge for Lightweight Threat Detection in Audit Logs},
  author={Wu, Weiheng and Qiao, Wei and Yan, Wenhao and Jiang, Bo and Liu, Yuling and Liu, Baoxu and Lu, Zhigang and Liu, Junrong},
  booktitle={Proceedings of the ACM Web Conference 2025 (WWW '25)},
  year={2025},
  doi={10.1145/3696410.3714563}
}