MAGIC: Detecting Advanced Persistent Threats via Masked Graph Representation Learning

• URL: http://arxiv.org/abs/2310.09831v1
• Date: Sun, 15 Oct 2023 13:27:06 GMT
• Title: MAGIC: Detecting Advanced Persistent Threats via Masked Graph Representation Learning
• Authors: Zian Jia, Yun Xiong, Yuhong Nan, Yao Zhang, Jinjing Zhao, Mi Wen
• Abstract summary: MAGIC is a self-supervised APT detection approach capable of performing multi-granularity detection under different level of supervision. We evaluate MAGIC on three widely-used datasets, including both real-world and simulated attacks.
• Score: 13.988853466705256
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Advance Persistent Threats (APTs), adopted by most delicate attackers, are becoming increasing common and pose great threat to various enterprises and institutions. Data provenance analysis on provenance graphs has emerged as a common approach in APT detection. However, previous works have exhibited several shortcomings: (1) requiring attack-containing data and a priori knowledge of APTs, (2) failing in extracting the rich contextual information buried within provenance graphs and (3) becoming impracticable due to their prohibitive computation overhead and memory consumption. In this paper, we introduce MAGIC, a novel and flexible self-supervised APT detection approach capable of performing multi-granularity detection under different level of supervision. MAGIC leverages masked graph representation learning to model benign system entities and behaviors, performing efficient deep feature extraction and structure abstraction on provenance graphs. By ferreting out anomalous system behaviors via outlier detection methods, MAGIC is able to perform both system entity level and batched log level APT detection. MAGIC is specially designed to handle concept drift with a model adaption mechanism and successfully applies to universal conditions and detection scenarios. We evaluate MAGIC on three widely-used datasets, including both real-world and simulated attacks. Evaluation results indicate that MAGIC achieves promising detection results in all scenarios and shows enormous advantage over state-of-the-art APT detection approaches in performance overhead.

Related papers

• OmniAD: Detect and Understand Industrial Anomaly via Multimodal Reasoning [76.90511414963265]
  We introduce OmniAD, a framework that unifies anomaly detection and understanding for fine-grained analysis.<n>Visual reasoning provides detailed inspection by leveraging Text-as-Mask.<n>Visual Guided Textual Reasoning conducts comprehensive analysis by integrating visual perception.
  arXiv  Detail & Related papers  (2025-05-28T07:02:15Z)
• Learning Knowledge-based Prompts for Robust 3D Mask Presentation Attack Detection [84.21257150497254]
  We propose a novel knowledge-based prompt learning framework to explore the strong generalization capability of vision-language models for 3D mask presentation attack detection.<n> Experimental results demonstrate that the proposed method achieves state-of-the-art intra- and cross-scenario detection performance.
  arXiv  Detail & Related papers  (2025-05-06T15:09:23Z)
• Evaluating the Effectiveness of Attack-Agnostic Features for Morphing Attack Detection [20.67964977754179]
  We investigate the potential of image representations for morphing attack detection (MAD) We develop supervised detectors by training a simple binary linear SVM on the extracted features and one-class detectors by modeling the distribution of bonafide features with a Gaussian Mixture Model (GMM) Our results indicate that attack-agnostic features can effectively detect morphing attacks, outperforming traditional supervised and one-class detectors from the literature in most scenarios.
  arXiv  Detail & Related papers  (2024-10-22T08:27:43Z)
• RAPID: Robust APT Detection and Investigation Using Context-Aware Deep Learning [26.083244046813512]
  We introduce a novel deep learning-based method for robust APT detection and investigation. By utilizing self-supervised sequence learning and iteratively learned embeddings, our approach effectively adapts to dynamic system behavior. Our evaluation demonstrates RAPID's effectiveness and computational efficiency in real-world scenarios.
  arXiv  Detail & Related papers  (2024-06-08T05:39:24Z)
• Feature graph construction with static features for malware detection [2.6148103955115043]
  We introduce a feature graph-based malware detection method, MFGraph, to characterize applications. We demonstrate that it achieves an AUC score of 0.98756 on the malware detection task, outperforming other baseline models. The AUC score of MFGraph decreases by only 5.884% in one year, indicating that it is the least affected by concept drift.
  arXiv  Detail & Related papers  (2024-04-25T06:54:32Z)
• LTRDetector: Exploring Long-Term Relationship for Advanced Persistent Threats Detection [20.360010908574303]
  Advanced Persistent Threat (APT) is challenging to detect due to prolonged duration, infrequent occurrence, and adept concealment techniques. Existing approaches primarily concentrate on the observable traits of attack behaviors, neglecting the intricate relationships formed throughout the persistent attack lifecycle. We present an innovative APT detection framework named LTRDetector, implementing an end-to-end holistic operation.
  arXiv  Detail & Related papers  (2024-04-04T02:30:51Z)
• DMAD: Dual Memory Bank for Real-World Anomaly Detection [90.97573828481832]
  We propose a new framework named Dual Memory bank enhanced representation learning for Anomaly Detection (DMAD) DMAD employs a dual memory bank to calculate feature distance and feature attention between normal and abnormal patterns. We evaluate DMAD on the MVTec-AD and VisA datasets.
  arXiv  Detail & Related papers  (2024-03-19T02:16:32Z)
• Few-shot Message-Enhanced Contrastive Learning for Graph Anomaly Detection [15.757864894708364]
  Graph anomaly detection plays a crucial role in identifying exceptional instances in graph data that deviate significantly from the majority. We propose a novel few-shot Graph Anomaly Detection model called FMGAD. We show that FMGAD can achieve better performance than other state-of-the-art methods, regardless of artificially injected anomalies or domain-organic anomalies.
  arXiv  Detail & Related papers  (2023-11-17T07:49:20Z)
• GraphCloak: Safeguarding Task-specific Knowledge within Graph-structured Data from Unauthorized Exploitation [61.80017550099027]
  Graph Neural Networks (GNNs) are increasingly prevalent in a variety of fields. Growing concerns have emerged regarding the unauthorized utilization of personal data. Recent studies have shown that imperceptible poisoning attacks are an effective method of protecting image data from such misuse. This paper introduces GraphCloak to safeguard against the unauthorized usage of graph data.
  arXiv  Detail & Related papers  (2023-10-11T00:50:55Z)
• Cluster-level pseudo-labelling for source-free cross-domain facial expression recognition [94.56304526014875]
  We propose the first Source-Free Unsupervised Domain Adaptation (SFUDA) method for Facial Expression Recognition (FER) Our method exploits self-supervised pretraining to learn good feature representations from the target data. We validate the effectiveness of our method in four adaptation setups, proving that it consistently outperforms existing SFUDA methods when applied to FER.
  arXiv  Detail & Related papers  (2022-10-11T08:24:50Z)
• Self-Supervised Predictive Convolutional Attentive Block for Anomaly Detection [97.93062818228015]
  We propose to integrate the reconstruction-based functionality into a novel self-supervised predictive architectural building block. Our block is equipped with a loss that minimizes the reconstruction error with respect to the masked area in the receptive field. We demonstrate the generality of our block by integrating it into several state-of-the-art frameworks for anomaly detection on image and video.
  arXiv  Detail & Related papers  (2021-11-17T13:30:31Z)
• No Need to Know Physics: Resilience of Process-based Model-free Anomaly Detection for Industrial Control Systems [95.54151664013011]
  We present a novel framework to generate adversarial spoofing signals that violate physical properties of the system. We analyze four anomaly detectors published at top security conferences.
  arXiv  Detail & Related papers  (2020-12-07T11:02:44Z)
• Graph Backdoor [53.70971502299977]
  We present GTA, the first backdoor attack on graph neural networks (GNNs) GTA departs in significant ways: it defines triggers as specific subgraphs, including both topological structures and descriptive features. It can be instantiated for both transductive (e.g., node classification) and inductive (e.g., graph classification) tasks.
  arXiv  Detail & Related papers  (2020-06-21T19:45:30Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.