2024
DOI: 10.1109/tdsc.2022.3229472
|View full text |Cite
|
Sign up to set email alerts
|

APT-KGL: An Intelligent APT Detection System Based on Threat Knowledge and Heterogeneous Provenance Graph Learning

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1

Citation Types

0
3
0

Year Published

2024
2024
2024
2024

Publication Types

Select...
4
2
1

Relationship

0
7

Authors

Journals

citations
Cited by 8 publications
(3 citation statements)
references
References 0 publications
0
3
0
Order By: Relevance
“…In the graph, nodes represent system entities such as processes and files, while edges represent system events like writing to files and receiving data from IP addresses. The provenance graph contains rich causal relationships, such as derived relationships between processes, files, and network accesses, which helps to model the relationships of system entities with long time distance and adapts to the problem that APT attacks are difficult to detect due to their long duration [28].…”
Section: Log Preprocessingmentioning
confidence: 99%
“…In the graph, nodes represent system entities such as processes and files, while edges represent system events like writing to files and receiving data from IP addresses. The provenance graph contains rich causal relationships, such as derived relationships between processes, files, and network accesses, which helps to model the relationships of system entities with long time distance and adapts to the problem that APT attacks are difficult to detect due to their long duration [28].…”
Section: Log Preprocessingmentioning
confidence: 99%
“…However, the most popular and effective approach is still to combine techniques analyzing abnormal behaviors on network traffic datasets, and machine learning or deep learning algorithms [8][9][10][11]. According to the Network Traffic-based APT attack detection approach, previous studies often focused on two main solutions: i) Analyzing Network Traffic into different components such as DNS log [12,13], HTTP log [14], TLS log, etc., and then trying to detect abnormal behaviors of APT attack on each of these components [5,6], or building the behavior profile of each APT IP based on the correlation between the above components [15][16][17][18][19][20][21][22]; ii) Analyzing Network Traffic into flow or NetFlow and then extracting abnormal behaviors of APT attack. Especially, in the past time, studies [8][9][10]23] proposed approaches to detect APT based on building behavior profiles.…”
Section: Attack Apt: Challenges and Solutionsmentioning
confidence: 99%
“…For the detection of advanced APT attacks, APT-KGL [128] samples a subgraph around a new incoming node to gather the embedding information already computed by a GNN in previous iterations. This technique makes it possible to infer new system entities in a reasonable time as only a subgraph is considered.…”
Section: Table 3 State-of-the-art Papers For Host-based Intrusion Det...mentioning
confidence: 99%