Complex multi-step attacks have caused significant damage to numerous critical infrastructures. To detect such attacks, graph neural network based methods have shown promising results by modeling the system's events as a graph. However, existing methods still face several challenges when deployed in practice. First, there is a lack of sufficient real attack data especially considering the large volume of normal data. Second, the modeling of event graphs is challenging due to their dynamic and heterogeneous nature. Third, the lack of explanation in learning models undermines the trustworthiness of such methods in production environments. To address the above challenges, in this paper, we propose an attack detection method, Trace2Vec. The approach first designs an erosion function to augment rare attack samples, and integrates them into the event graphs. Next, it models the event graphs via a continuous-time dynamic heterogeneous graph neural network. Finally, it employs the Monte Carlo tree search algorithm to identify events with greater contributions to the attack, thus enhancing the explainability of the detection result. We have implemented a prototype for Trace2Vec, and the experimental evaluations demonstrate its superior detection and explanation performance compared to existing methods.
翻译:复杂多步攻击已对众多关键基础设施造成了重大损害。为检测此类攻击,基于图神经网络的方法通过将系统事件建模为图而展现出良好效果。然而,现有方法在实际部署中仍面临若干挑战。首先,在大量正常数据的背景下,缺乏足够的真实攻击数据;其次,由于事件图具有动态性和异质性,其建模过程颇具难度;第三,学习模型中缺乏可解释性,削弱了此类方法在生产环境中的可信度。针对上述挑战,本文提出一种攻击检测方法——Trace2Vec。该方法首先设计侵蚀函数以扩充稀有攻击样本,并将其融入事件图;随后通过连续时间动态异质图神经网络对事件图进行建模;最后采用蒙特卡洛树搜索算法识别对攻击贡献更大的事件,从而增强检测结果的可解释性。我们实现了Trace2Vec的原型系统,实验评估表明,与现有方法相比,该方法在检测性能和可解释性方面均表现优异。