To protect an organizations' endpoints from sophisticated cyberattacks, advanced detection methods are required. In this research, we present GCNetOmaly: a graph convolutional network (GCN)-based variational autoencoder (VAE) anomaly detector trained on data that include connection events among internal and external machines. As input, the proposed GCN-based VAE model receives two matrices: (i) the normalized adjacency matrix, which represents the connections among the machines, and (ii) the feature matrix, which includes various features (demographic, statistical, process-related, and Node2vec structural features) that are used to profile the individual nodes/machines. After training the model on data collected for a predefined time window, the model is applied on the same data; the reconstruction score obtained by the model for a given machine then serves as the machine's anomaly score. GCNetOmaly was evaluated on real, large-scale data logged by Carbon Black EDR from a large financial organization's automated teller machines (ATMs) as well as communication with Active Directory (AD) servers in two setups: unsupervised and supervised. The results of our evaluation demonstrate GCNetOmaly's effectiveness in detecting anomalous behavior of machines on unsupervised data.

翻译：为保护组织终端免受复杂网络攻击，亟需先进的检测方法。本研究提出GCNetOmaly：一种基于图卷积网络（GCN）的变分自编码器（VAE）异常检测模型，该模型训练于包含内外设备连接事件的数据集。作为输入，所提出的GCN-VAE模型接收两个矩阵：（i）标准化邻接矩阵，表示设备间的连接关系；（ii）特征矩阵，包含用于刻画单个节点/设备的多维特征（人口统计特征、统计特征、进程相关特征及Node2vec结构特征）。在预定义时间窗口内采集的数据上完成模型训练后，将其应用于相同数据集；模型对特定设备的重构得分即作为该设备的异常分值。GCNetOmaly在真实大规模数据上进行了评估，这些数据由大型金融机构的自动柜员机（ATM）所记录的Carbon Black EDR日志以及其与活动目录（AD）服务器的通信构成，评估设置了无监督和监督两种模式。评估结果表明，GCNetOmaly能有效检测无监督数据中设备的异常行为。