Provenance graphs offer critical insights into system execution traces for intrusion detection. Recent work predominantly applies Graph Neural Networks (GNNs) to model causal system behaviors in provenance graphs. However, two fundamental limitations constrain their practicality: 1) uniform aggregation mechanisms that fail to account for heterogeneous behavior patterns; and 2) local interaction modeling that struggles to capture long-range dependencies essential for multi-stage attack analysis. To tackle these issues, we propose PG-MoE, a pioneering Provenance Graph Mixture-of-Experts framework tailored for intrusion detection. PG-MoE integrates an ensemble of specialized GNN experts, each designed to handle distinct topological contexts. Through a learnable routing mechanism, nodes are dynamically dispatched to appropriate experts based on their structural and semantic characteristics, thereby enabling adaptive modeling of diverse system behaviors. Furthermore, we introduce a spatio-temporal contrastive learning strategy that enforces the alignment of node behavior representations across multiple temporal and contextual (spatio) resolutions, thereby empowering experts to capture both local and global interaction dynamics while discerning subtle behavior variations. Extensive experiments on three real-world attack datasets demonstrate that PG-MoE outperforms state-of-the-art baselines, exhibits strong robustness against adversarial perturbations, and maintains computational efficiency. The source code is available at https://github.com/xueboQiu/PG-MoE/.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

PG-MoE: Provenance-Based Intrusion Detection via Graph Mixture-of-Experts and Spatio-Temporal Contrastive Learning

  • Xuebo Qiu,
  • Mingqi Lv,
  • Yimei Zhang,
  • Qijie Song,
  • Tieming Chen

摘要

Provenance graphs offer critical insights into system execution traces for intrusion detection. Recent work predominantly applies Graph Neural Networks (GNNs) to model causal system behaviors in provenance graphs. However, two fundamental limitations constrain their practicality: 1) uniform aggregation mechanisms that fail to account for heterogeneous behavior patterns; and 2) local interaction modeling that struggles to capture long-range dependencies essential for multi-stage attack analysis. To tackle these issues, we propose PG-MoE, a pioneering Provenance Graph Mixture-of-Experts framework tailored for intrusion detection. PG-MoE integrates an ensemble of specialized GNN experts, each designed to handle distinct topological contexts. Through a learnable routing mechanism, nodes are dynamically dispatched to appropriate experts based on their structural and semantic characteristics, thereby enabling adaptive modeling of diverse system behaviors. Furthermore, we introduce a spatio-temporal contrastive learning strategy that enforces the alignment of node behavior representations across multiple temporal and contextual (spatio) resolutions, thereby empowering experts to capture both local and global interaction dynamics while discerning subtle behavior variations. Extensive experiments on three real-world attack datasets demonstrate that PG-MoE outperforms state-of-the-art baselines, exhibits strong robustness against adversarial perturbations, and maintains computational efficiency. The source code is available at https://github.com/xueboQiu/PG-MoE/.