Complex multi-step attacks have caused significant damage to numerous critical infrastructures. To detect such attacks, graph neural network based methods have shown promising results by modeling the system's events as a graph. However, existing methods still face several challenges when deployed in practice. First, there is a lack of sufficient real attack data especially considering the large volume of normal data. Second, the modeling of event graphs is challenging due to their dynamic and heterogeneous nature. Third, the lack of explanation in learning models undermines the trustworthiness of such methods in production environments. To address the above challenges, in this paper, we propose an attack detection method, Trace2Vec. The approach first designs an erosion function to augment rare attack samples, and integrates them into the event graphs. Next, it models the event graphs via a continuous-time dynamic heterogeneous graph neural network. Finally, it employs the Monte Carlo tree search algorithm to identify events with greater contributions to the attack, thus enhancing the explainability of the detection result. We have implemented a prototype for Trace2Vec, and the experimental evaluations demonstrate its superior detection and explanation performance compared to existing methods.
翻译:复杂多步攻击已对众多关键基础设施造成重大损害。为检测此类攻击,基于图神经网络的方法通过将系统事件建模为图已展现出良好效果。然而,现有方法在实际部署中仍面临若干挑战。首先,考虑到正常数据的海量规模,真实攻击数据尤为匮乏。其次,事件图因其动态性与异质性而难以建模。再次,学习模型可解释性的缺失削弱了此类方法在生产环境中的可信度。为应对上述挑战,本文提出一种攻击检测方法Trace2Vec。该方法首先设计侵蚀函数以增强罕见攻击样本,并将其整合至事件图中;继而通过连续时间动态异构图神经网络对事件图进行建模;最终采用蒙特卡洛树搜索算法识别对攻击贡献度更高的事件,从而提升检测结果的可解释性。我们实现了Trace2Vec的原型系统,实验评估表明其检测性能与可解释性均优于现有方法。