The Research On APT Detection Based On Graph Neural Network With Provenance Graph As Input

With the rapid growth of the number of APT attacks,how to accurately detect APT attacks and respond quickly has become a hot research problem in the field of network security.Some existing APT attack detection methods try to detect APT attacks by introducing external threat intelligence,but these methods can not deal with the events of attack that didn’t appear in threat intelligence.For the long-running enterprise or organization network system,the audit log of the system provides key information for attack investigation and forensics analysis,but the continuous generation of log files has brought huge storage pressure to the enterprise,and when the forensics analysis needs billions of logs to be screened,it will also reduce the work efficiency of security analysts.How to achieve high data reduction ratio at the cost of less semantic information loss has always been an important research direction in the field of provenance graph data management.The development of heterogeneous graph neural network provides inspiration and ideas for APT detection.In recent years,many researchers have focused on constructing APT attack detection and response algorithm on the provenance graph.As a kind of heterogeneous graph,Provenance graph naturally has the potential to describe complex information systems.Combining the problems of existing methods and the advantages of Provenance graph,this thesis proposes a heterogeneous graph neural network APT detection scheme based on provenance graph.The main work and contributions of this thesis are as follows:(1): Aiming at the difficulty of APT attack detection,a graph neural network APT detection model based on provenance graph is proposed.This model uses the Provenance graph to model the host activity,accurately extracts the characteristics of provenance graph through heterogeneous graph representation learning,and then compresses the characteristic information of provenance graph layer by layer using the pooling module DIFFPOOL.This study uses the public network security data set transparent computing engagement 5 to carry out relevant experiments.The experimental results show that the APT detection model based on heterogeneous graph neural network can effectively detect APT attack behavior.(2): To alleviate the storage pressure of the original log and facilitate security analysts to conduct forensic analysis afterward,this thesis proposes a data reduction algorithm based on graph substructure similarity to remove redundant nodes and events in graph data.In addition,the algorithm can be mixed with the mainstream reduction algorithm,to further reduce the storage occupation of data.The experimental results show that the data reduction algorithm based on the semantic similarity of graph substructure can effectively alleviate the pressure of provenance graph data storage.