Defending against Advanced Persistent Threats (APTs) has long been a significant challenge in the field of cybersecurity. Terminal control and exploitation frequently serve as pivotal stages within the overall attack lifecycle. Consequently, the rapid and efficient analysis of terminal logs has become a critical area of research for APT detection and threat intelligence analysis. This paper presents a novel threat detection framework designed to address real-world challenges such as limited labeled data and concept drift. The proposed framework introduces a new model architecture that integrates graph generative learning with graph contrastive learning, thereby enhancing the model’s graph representation capability in scenarios with incomplete information. To ensure reliable detection with limited labeled data, a high-value node recommendation method based on random-graph structure analysis is also proposed. To evaluate the effectiveness of the proposed framework, methods, and models, experiments are conducted on three widely used datasets, with comparative analysis against the state-of-the-art MAGIC method. The experimental results demonstrate that the proposed approach significantly improves the model’s stability and representational power, achieving performance comparable to that of full data even when only partial data is available. Furthermore, in the presence of concept drift, the proposed model and node recommendation method maintain stable detection performance with a limited number of labeled nodes.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Graph Representation Learning via Generative-Contrastive Fusion for Advanced Persistent Threat Detection

  • Jun Jiang,
  • Yijiao Jiang,
  • Fangming Dong,
  • Zhengwei Jiang,
  • Tianming Zheng,
  • Baoxu Liu,
  • Liling Xin

摘要

Defending against Advanced Persistent Threats (APTs) has long been a significant challenge in the field of cybersecurity. Terminal control and exploitation frequently serve as pivotal stages within the overall attack lifecycle. Consequently, the rapid and efficient analysis of terminal logs has become a critical area of research for APT detection and threat intelligence analysis. This paper presents a novel threat detection framework designed to address real-world challenges such as limited labeled data and concept drift. The proposed framework introduces a new model architecture that integrates graph generative learning with graph contrastive learning, thereby enhancing the model’s graph representation capability in scenarios with incomplete information. To ensure reliable detection with limited labeled data, a high-value node recommendation method based on random-graph structure analysis is also proposed. To evaluate the effectiveness of the proposed framework, methods, and models, experiments are conducted on three widely used datasets, with comparative analysis against the state-of-the-art MAGIC method. The experimental results demonstrate that the proposed approach significantly improves the model’s stability and representational power, achieving performance comparable to that of full data even when only partial data is available. Furthermore, in the presence of concept drift, the proposed model and node recommendation method maintain stable detection performance with a limited number of labeled nodes.