Host-based threats such as Program Attack, Malware Implantation, and Advanced Persistent Threats (APT), are commonly adopted by modern attackers. Recent studies propose leveraging the rich contextual information in data provenance to detect threats in a host. Data provenance is a directed acyclic graph constructed from system audit data. Nodes in a provenance graph represent system entities (e.g., $processes$ and $files$) and edges represent system calls in the direction of information flow. However, previous studies, which extract features of the whole provenance graph, are not sensitive to the small number of threat-related entities and thus result in low performance when hunting stealthy threats. We present threaTrace, an anomaly-based detector that detects host-based threats at system entity level without prior knowledge of attack patterns. We tailor GraphSAGE, an inductive graph neural network, to learn every benign entity's role in a provenance graph. threaTrace is a real-time system, which is scalable of monitoring a long-term running host and capable of detecting host-based intrusion in their early phase. We evaluate threaTrace on three public datasets. The results show that threaTrace outperforms three state-of-the-art host intrusion detection systems.

翻译：以主机为基础的威胁,如程序攻击、恶意植入和高级持久性威胁(APT),通常为现代攻击者所采用。最近的研究表明,利用数据源中丰富的背景信息来探测宿主的威胁。数据源是一个由系统审计数据制成的定向环形图。出处图中的节点代表系统实体(例如,美元和美元)和边缘代表系统在信息流方向上发挥作用。然而,以往的研究,即提取整个来源图特征的研究,对威胁相关实体数量较少并不敏感,因此在搜寻隐形威胁时造成低性能。我们展示了以反常为基础的探测器,该探测器在系统实体一级检测基于宿主的威胁,而事先不知晓攻击模式。我们定制了图解图分析,即一个不感动的图表神经网络,以了解每个良体在证明图表中的角色。Thrrea Trace是一个实时系统,可以测量一个长期运行的宿主,并能在早期检测基于宿主的入侵情况。我们评估了三阶段的公共探测结果。