Provenance-Based Intrusion Detection via Multi-scale Graph Representation Learning
摘要
Advanced Persistent Threats (APTs) pose significant challenges to cybersecurity due to their stealth and persistence. Provenance-based intrusion detection methods address this by first modeling historical system activities using audit logs, and then identifying diverse APT patterns through contextual analysis. Given the scarcity of labeled APT data, recent studies have adopted self-supervised learning methods to capture benign system behaviors, and then detect anomalies as deviations from learned normal patterns. However, existing methods struggle to distinguish sophisticated benign activities from attack patterns due to their limited semantic understanding of system behaviors. In this paper, we introduce TRAP, an anomaly detection system that employs multi-scale training strategies to optimize provenance graph representations for enhanced attack detection. First, a node-level feature reconstruction task is designed to extract fine-grained node semantics within system behaviors. Second, a contrastive learning technique is employed to align the edge- and graph-level contextual semantics across diverse augmented provenance graph views, fostering a more comprehensive representation of behavioral patterns. Third, to bolster the efficacy of contrastive learning, we devise a tailored graph augmentation strategy that exploits the temporal evolution dynamics of the provenance graph to produce multiple augmented views that balance semantic consistency and diversity. Extensive experiments demonstrate that TRAP outperforms existing APT detection systems. Code is available at: https://github.com/xueboQiu/TRAP .