As Advanced Persistent Threat (APT) attacks continue to evolve, critical information infrastructure faces increasingly severe security risks. Log-based provenance detection systems have become an effective defense mechanism. However, despite addressing many issues, existing solutions still exhibit several notable shortcomings: 1) they require attack information and expert knowledge, 2) they struggle to manage large-scale provenance graphs composed of massive data, 3) they insufficiently capture long-distance contextual dependencies within provenance graphs, and 4) they cannot adapt to benign changes in system behavior. To address these challenges, we propose Chaos, an intrusion detection system (IDS) that balances behavioral structures and temporal dependencies. Specifically, Chaos employs a soft segmentation strategy for large-scale provenance graphs, effectively extracting sub-events while preserving event structures. It then utilizes Graph Neural Networks (GNNs) to learn system behavior structures and combines Long Short-Term Memory (LSTM) networks to capture temporal dependencies between entities. Finally, it implements anomaly detection using a lightweight classifier and further suppresses false positives through the Elastic Weight Consolidation (EWC) mechanism. Evaluated across multiple real-world datasets, Chaos demonstrates exceptional detection accuracy, significantly reduces false alarms, and exhibits a degree of resistance against adversarial attacks.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Chaos: Robust Spatio-Temporal Fusion for Generalizable APT Provenance Tracing

  • Teng Li,
  • Wei Qiao,
  • Yebo Feng,
  • Jiahua Xu,
  • Paolo Tasca,
  • Weiguo Lin,
  • Zexu Dang,
  • Zhuo Ma,
  • Jianfeng Ma

摘要

As Advanced Persistent Threat (APT) attacks continue to evolve, critical information infrastructure faces increasingly severe security risks. Log-based provenance detection systems have become an effective defense mechanism. However, despite addressing many issues, existing solutions still exhibit several notable shortcomings: 1) they require attack information and expert knowledge, 2) they struggle to manage large-scale provenance graphs composed of massive data, 3) they insufficiently capture long-distance contextual dependencies within provenance graphs, and 4) they cannot adapt to benign changes in system behavior. To address these challenges, we propose Chaos, an intrusion detection system (IDS) that balances behavioral structures and temporal dependencies. Specifically, Chaos employs a soft segmentation strategy for large-scale provenance graphs, effectively extracting sub-events while preserving event structures. It then utilizes Graph Neural Networks (GNNs) to learn system behavior structures and combines Long Short-Term Memory (LSTM) networks to capture temporal dependencies between entities. Finally, it implements anomaly detection using a lightweight classifier and further suppresses false positives through the Elastic Weight Consolidation (EWC) mechanism. Evaluated across multiple real-world datasets, Chaos demonstrates exceptional detection accuracy, significantly reduces false alarms, and exhibits a degree of resistance against adversarial attacks.