Advanced persistent threats (APTs) are constantly occurring in order to obtain confidential data. In the APT life cycle, lateral movement is a critical phase in the migration to confidential data. Lateral movement detection focuses on monitoring network traffic and endpoint detection. Although these methods can detect the attack behavior, they ignore the time of the attack behavior. To solve this problem, we propose a time heterogeneous graph representation network intrusion detection framework named THGNID. THGNID uses the raw data to build an authentication heterogeneous graph with time attributes. Based on metapath and time attribute, we sample the path and get the path embedding with time characteristic. We use an improved Transformer autoencoder with supervised contrast learning to optimize the path embedding representation and capture structural and temporal characteristics to effectively identify abnormal events in the network. Experiments are conducted on two publicly available cybersecurity domain datasets, and the results show that the method performs well compared to several advanced benchmark methods.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Network Intrusion Detection Based on Time Heterogeneous Graph Representation

  • Zhang Anqin,
  • Qian Yuwei

摘要

Advanced persistent threats (APTs) are constantly occurring in order to obtain confidential data. In the APT life cycle, lateral movement is a critical phase in the migration to confidential data. Lateral movement detection focuses on monitoring network traffic and endpoint detection. Although these methods can detect the attack behavior, they ignore the time of the attack behavior. To solve this problem, we propose a time heterogeneous graph representation network intrusion detection framework named THGNID. THGNID uses the raw data to build an authentication heterogeneous graph with time attributes. Based on metapath and time attribute, we sample the path and get the path embedding with time characteristic. We use an improved Transformer autoencoder with supervised contrast learning to optimize the path embedding representation and capture structural and temporal characteristics to effectively identify abnormal events in the network. Experiments are conducted on two publicly available cybersecurity domain datasets, and the results show that the method performs well compared to several advanced benchmark methods.