Abstract
Complex multi-step attacks (i.e., CMA) have caused severe damage to core information infrastructures of many organizations. The graph-based methods are well known as the ability for learning complex interaction patterns of systems and users with discrete graph snapshots. However, such methods are challenged by the computer networking model characterized by a natural continuous-time dynamic graph. In this paper, we propose RShield, a temporal graph network-based CMA detection and defense method. It first constructs the continuous-time dynamic graph based on interactions among users and entities from various log records. Then it trains the detection model offline and performs streaming detection for live online network events. A prototype of RShield has been implemented. The experimental evaluation shows that RShield can achieve superior detection performance than the state-of-the-art methods in both transductive and inductive settings.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Liu, F., Wen, Y., Zhang, D., Jiang, X., Xing, X., Meng, D.: Log2vec: a heterogeneous graph embedding based approach for detecting cyber threats within enterprise. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1777–1794. Association for Computing Machinery, New York (2019)
Han, X., Pasquier, T., Bates, A., Mickens, J., Seltzer, M.: UNICORN: runtime provenance-based detector for advanced persistent threats. In: Proceedings 2020 Network and Distributed System Security Symposium (2020)
Guo, J., Li, R., Zhang, Y., Wang, G.: Graph neural network based anomaly detection in dynamic networks. Ruan Jian Xue Bao/J. Softw. 31(3), 748–762 (2020). (in Chinese)
Rossi, E., Chamberlain, B., Frasca, F., Eynard, D., Monti, F., Bronstein, M.: Temporal Graph Networks for Deep Learning on Dynamic Graphs. arXiv:2006.10637 [cs, stat]. (2020)
More, S., Matthews, M., Joshi, A., Finin, T.: A knowledge-based approach to intrusion detection modeling. In: 2012 IEEE Symposium on Security and Privacy Workshops, pp. 75–81 (2012)
Karim, I., Vien, Q.-T., Le, T.A., Mapp, G.: A comparative experimental design and performance analysis of snort-based intrusion detection system in practical computer networks. Computers 6, 6 (2017)
Gavai, G., Sricharan, K., Gunning, D., Rolleston, R., Hanley, J., Singhal, M.: Detecting insider threat from enterprise social and online activity data. In: Proceedings of the 7th ACM CCS International Workshop on Managing Insider Security Threats, pp. 13–20. Association for Computing Machinery, New York (2015)
Legg, P.A., Buckley, O., Goldsmith, M., Creese, S.: Caught in the act of an insider attack: detection and assessment of insider threat. In: 2015 IEEE International Symposium on Technologies for Homeland Security (HST), pp. 1–6 (2015)
Senator, T.E., et al.: Detecting insider threats in a real corporate database of computer usage activity. In: Proceedings of the 19th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1393–1401. Association for Computing Machinery, New York (2013)
Du, M., Li, F., Zheng, G., Srikumar, V.: DeepLog: anomaly detection and diagnosis from system logs through deep learning. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1285–1298. Association for Computing Machinery, New York (2017)
Rashid, T., Agrafiotis, I., Nurse, J.R.C.: A new take on detecting insider threats: exploring the use of hidden Markov models. In: Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats, pp. 47–56. Association for Computing Machinery, New York (2016)
Shen, Y., Mariconti, E., Vervier, P.A., Stringhini, G.: Tiresias: predicting security events through deep learning. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 592–605. Association for Computing Machinery, New York (2018)
Hossain, M.N., et al.: {SLEUTH}: real-time attack scenario reconstruction from {COTS} audit data. Presented at the 26th {USENIX} Security Symposium ({USENIX} Security 17) (2017)
Milajerdi, S.M., Gjomemo, R., Eshete, B., Sekar, R., Venkatakrishnan, V.N.: HOLMES: real-time APT detection through correlation of suspicious information flows. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1137–1152 (2019)
Backes, M., Humbert, M., Pang, J., Zhang, Y.: walk2friends: inferring social links from mobility profiles. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1943–1957. Association for Computing Machinery, New York (2017)
Hinton, G., Srivastava, N., Swersky, K.: Neural networks for machine learning lecture 6a overview of mini-batch gradient descent. Cited on 14, 2 (2012)
Kent, A.D.: Cyber security data sources for dynamic network research. In: Dynamic Networks and Cyber-Security, pp. 37–65. World Scientific (Europe) (2015)
The CERT Division: Insider Threat Tools. https://www.cert.org/insiderthreat/tools/. Accessed 17 Sept 2021
Acknowledgments
This work is supported by the National Key Research and Development Program of China (No. 2021YFB3101700).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Yang, W. et al. (2022). RShield: A Refined Shield for Complex Multi-step Attack Detection Based on Temporal Graph Network. In: Bhattacharya, A., et al. Database Systems for Advanced Applications. DASFAA 2022. Lecture Notes in Computer Science, vol 13247. Springer, Cham. https://doi.org/10.1007/978-3-031-00129-1_40
Download citation
DOI: https://doi.org/10.1007/978-3-031-00129-1_40
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-00128-4
Online ISBN: 978-3-031-00129-1
eBook Packages: Computer ScienceComputer Science (R0)