Cyber Threat hunting is a proactive search for known attack behaviors in the organizational information system. It is an important component to mitigate advanced persistent threats (APTs). However, the attack behaviors recorded in provenance data may not be completely consistent with the known attack behaviors. In this paper, we propose DeepHunter, a graph neural network (GNN) based graph pattern matching approach that can match provenance data against known attack behaviors in a robust way. Specifically, we design a graph neural network architecture with two novel networks: attribute embedding networks that could incorporate Indicators of Compromise (IOCs) information, and graph embedding networks that could capture the relationships between IOCs. To evaluate DeepHunter, we choose five real and synthetic APT attack scenarios. Results show that DeepHunter can hunt all attack behaviors, and the accuracy and robustness of DeepHunter outperform the state-of-the-art method, Poirot.

翻译：网络威胁狩猎是组织信息系统中已知攻击行为的主动搜索。 这是减少先进持续威胁(APTs)的一个重要部分。 但是, 源头数据中记录的攻击行为可能并不完全符合已知攻击行为。 在本文中, 我们提议了基于图形神经网络(GNN)的图形图样匹配方法DeepHunter(DeepHunter), 这个方法可以以强健的方式将源头数据与已知攻击行为相匹配。 具体地说, 我们设计了一个图形神经网络结构, 包含两个新型网络: 属性嵌入网络, 可以包含复合指标(IOCs)信息, 和图形嵌入网络, 可以捕捉到国际奥委会之间的关系。 为了评估深Hunter, 我们选择了五个真实和合成的APT攻击情景。 结果显示, 深Hunter可以捕捉所有攻击行为, 以及深Hunter的准确性和坚固性, 超越了最先进的方法, Poirot。