Detecting Complex Multi-step Attacks with Explainable Graph Neural Network
Complex multi-step attacks have caused significant damage to numerous critical infrastructures. To detect such attacks, graph neural network based methods have shown promising results by modeling the system's events as a graph. However, existing methods still face several challenges when deploy...
Gespeichert in:
| Veröffentlicht in: | arXiv.org 2024-06 |
|---|---|
| Hauptverfasser: | , , , , , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | arXiv.org |
| container_volume | |
| creator | Liu, Wei Gao, Peng Zhang, Haotian Li, Ke Yang, Weiyong Wei, Xingshen Shu, Jiwu |
| description | Complex multi-step attacks have caused significant damage to numerous critical infrastructures. To detect such attacks, graph neural network based methods have shown promising results by modeling the system's events as a graph. However, existing methods still face several challenges when deployed in practice. First, there is a lack of sufficient real attack data especially considering the large volume of normal data. Second, the modeling of event graphs is challenging due to their dynamic and heterogeneous nature. Third, the lack of explanation in learning models undermines the trustworthiness of such methods in production environments. To address the above challenges, in this paper, we propose an attack detection method, Trace2Vec. The approach first designs an erosion function to augment rare attack samples, and integrates them into the event graphs. Next, it models the event graphs via a continuous-time dynamic heterogeneous graph neural network. Finally, it employs the Monte Carlo tree search algorithm to identify events with greater contributions to the attack, thus enhancing the explainability of the detection result. We have implemented a prototype for Trace2Vec, and the experimental evaluations demonstrate its superior detection and explanation performance compared to existing methods. |
| format | Article |
| fullrecord | <record><control><sourceid>proquest</sourceid><recordid>TN_cdi_proquest_journals_3057537880</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>3057537880</sourcerecordid><originalsourceid>FETCH-proquest_journals_30575378803</originalsourceid><addsrcrecordid>eNqNykELgjAYgOERBEn5HwadhbW19BpmRVCn7rLkK6fLre0T_fl56Ad0eg7vOyMRF2KTZFvOFyQOoWGM8V3KpRQRuRwAoULdvWhu387ASK-9QZ0EBEf3iKpqAx001rQYnVG6Uw8D9OSVq-kNeq_MBA7WtysyfyoTIP65JOtjcc_PifP200PAsrG976ZUCiZTKdIsY-K_6wvDNTy9</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>3057537880</pqid></control><display><type>article</type><title>Detecting Complex Multi-step Attacks with Explainable Graph Neural Network</title><source>Free E- Journals</source><creator>Liu, Wei ; Gao, Peng ; Zhang, Haotian ; Li, Ke ; Yang, Weiyong ; Wei, Xingshen ; Shu, Jiwu</creator><creatorcontrib>Liu, Wei ; Gao, Peng ; Zhang, Haotian ; Li, Ke ; Yang, Weiyong ; Wei, Xingshen ; Shu, Jiwu</creatorcontrib><description>Complex multi-step attacks have caused significant damage to numerous critical infrastructures. To detect such attacks, graph neural network based methods have shown promising results by modeling the system's events as a graph. However, existing methods still face several challenges when deployed in practice. First, there is a lack of sufficient real attack data especially considering the large volume of normal data. Second, the modeling of event graphs is challenging due to their dynamic and heterogeneous nature. Third, the lack of explanation in learning models undermines the trustworthiness of such methods in production environments. To address the above challenges, in this paper, we propose an attack detection method, Trace2Vec. The approach first designs an erosion function to augment rare attack samples, and integrates them into the event graphs. Next, it models the event graphs via a continuous-time dynamic heterogeneous graph neural network. Finally, it employs the Monte Carlo tree search algorithm to identify events with greater contributions to the attack, thus enhancing the explainability of the detection result. We have implemented a prototype for Trace2Vec, and the experimental evaluations demonstrate its superior detection and explanation performance compared to existing methods.</description><identifier>EISSN: 2331-8422</identifier><language>eng</language><publisher>Ithaca: Cornell University Library, arXiv.org</publisher><subject>Critical infrastructure ; Graph neural networks ; Graphs ; Modelling ; Neural networks ; Production methods ; Search algorithms</subject><ispartof>arXiv.org, 2024-06</ispartof><rights>2024. This work is published under http://arxiv.org/licenses/nonexclusive-distrib/1.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License.</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>780,784</link.rule.ids></links><search><creatorcontrib>Liu, Wei</creatorcontrib><creatorcontrib>Gao, Peng</creatorcontrib><creatorcontrib>Zhang, Haotian</creatorcontrib><creatorcontrib>Li, Ke</creatorcontrib><creatorcontrib>Yang, Weiyong</creatorcontrib><creatorcontrib>Wei, Xingshen</creatorcontrib><creatorcontrib>Shu, Jiwu</creatorcontrib><title>Detecting Complex Multi-step Attacks with Explainable Graph Neural Network</title><title>arXiv.org</title><description>Complex multi-step attacks have caused significant damage to numerous critical infrastructures. To detect such attacks, graph neural network based methods have shown promising results by modeling the system's events as a graph. However, existing methods still face several challenges when deployed in practice. First, there is a lack of sufficient real attack data especially considering the large volume of normal data. Second, the modeling of event graphs is challenging due to their dynamic and heterogeneous nature. Third, the lack of explanation in learning models undermines the trustworthiness of such methods in production environments. To address the above challenges, in this paper, we propose an attack detection method, Trace2Vec. The approach first designs an erosion function to augment rare attack samples, and integrates them into the event graphs. Next, it models the event graphs via a continuous-time dynamic heterogeneous graph neural network. Finally, it employs the Monte Carlo tree search algorithm to identify events with greater contributions to the attack, thus enhancing the explainability of the detection result. We have implemented a prototype for Trace2Vec, and the experimental evaluations demonstrate its superior detection and explanation performance compared to existing methods.</description><subject>Critical infrastructure</subject><subject>Graph neural networks</subject><subject>Graphs</subject><subject>Modelling</subject><subject>Neural networks</subject><subject>Production methods</subject><subject>Search algorithms</subject><issn>2331-8422</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><sourceid>ABUWG</sourceid><sourceid>AFKRA</sourceid><sourceid>AZQEC</sourceid><sourceid>BENPR</sourceid><sourceid>CCPQU</sourceid><sourceid>DWQXO</sourceid><recordid>eNqNykELgjAYgOERBEn5HwadhbW19BpmRVCn7rLkK6fLre0T_fl56Ad0eg7vOyMRF2KTZFvOFyQOoWGM8V3KpRQRuRwAoULdvWhu387ASK-9QZ0EBEf3iKpqAx001rQYnVG6Uw8D9OSVq-kNeq_MBA7WtysyfyoTIP65JOtjcc_PifP200PAsrG976ZUCiZTKdIsY-K_6wvDNTy9</recordid><startdate>20240614</startdate><enddate>20240614</enddate><creator>Liu, Wei</creator><creator>Gao, Peng</creator><creator>Zhang, Haotian</creator><creator>Li, Ke</creator><creator>Yang, Weiyong</creator><creator>Wei, Xingshen</creator><creator>Shu, Jiwu</creator><general>Cornell University Library, arXiv.org</general><scope>8FE</scope><scope>8FG</scope><scope>ABJCF</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>HCIFZ</scope><scope>L6V</scope><scope>M7S</scope><scope>PIMPY</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>PRINS</scope><scope>PTHSS</scope></search><sort><creationdate>20240614</creationdate><title>Detecting Complex Multi-step Attacks with Explainable Graph Neural Network</title><author>Liu, Wei ; Gao, Peng ; Zhang, Haotian ; Li, Ke ; Yang, Weiyong ; Wei, Xingshen ; Shu, Jiwu</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-proquest_journals_30575378803</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Critical infrastructure</topic><topic>Graph neural networks</topic><topic>Graphs</topic><topic>Modelling</topic><topic>Neural networks</topic><topic>Production methods</topic><topic>Search algorithms</topic><toplevel>online_resources</toplevel><creatorcontrib>Liu, Wei</creatorcontrib><creatorcontrib>Gao, Peng</creatorcontrib><creatorcontrib>Zhang, Haotian</creatorcontrib><creatorcontrib>Li, Ke</creatorcontrib><creatorcontrib>Yang, Weiyong</creatorcontrib><creatorcontrib>Wei, Xingshen</creatorcontrib><creatorcontrib>Shu, Jiwu</creatorcontrib><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>Materials Science & Engineering Collection</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Technology Collection</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Engineering Collection</collection><collection>Engineering Database</collection><collection>Publicly Available Content Database</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central China</collection><collection>Engineering Collection</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Liu, Wei</au><au>Gao, Peng</au><au>Zhang, Haotian</au><au>Li, Ke</au><au>Yang, Weiyong</au><au>Wei, Xingshen</au><au>Shu, Jiwu</au><format>book</format><genre>document</genre><ristype>GEN</ristype><atitle>Detecting Complex Multi-step Attacks with Explainable Graph Neural Network</atitle><jtitle>arXiv.org</jtitle><date>2024-06-14</date><risdate>2024</risdate><eissn>2331-8422</eissn><abstract>Complex multi-step attacks have caused significant damage to numerous critical infrastructures. To detect such attacks, graph neural network based methods have shown promising results by modeling the system's events as a graph. However, existing methods still face several challenges when deployed in practice. First, there is a lack of sufficient real attack data especially considering the large volume of normal data. Second, the modeling of event graphs is challenging due to their dynamic and heterogeneous nature. Third, the lack of explanation in learning models undermines the trustworthiness of such methods in production environments. To address the above challenges, in this paper, we propose an attack detection method, Trace2Vec. The approach first designs an erosion function to augment rare attack samples, and integrates them into the event graphs. Next, it models the event graphs via a continuous-time dynamic heterogeneous graph neural network. Finally, it employs the Monte Carlo tree search algorithm to identify events with greater contributions to the attack, thus enhancing the explainability of the detection result. We have implemented a prototype for Trace2Vec, and the experimental evaluations demonstrate its superior detection and explanation performance compared to existing methods.</abstract><cop>Ithaca</cop><pub>Cornell University Library, arXiv.org</pub><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext |
| identifier | EISSN: 2331-8422 |
| ispartof | arXiv.org, 2024-06 |
| issn | 2331-8422 |
| language | eng |
| recordid | cdi_proquest_journals_3057537880 |
| source | Free E- Journals |
| subjects | Critical infrastructure Graph neural networks Graphs Modelling Neural networks Production methods Search algorithms |
| title | Detecting Complex Multi-step Attacks with Explainable Graph Neural Network |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-07T11%3A59%3A28IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=document&rft.atitle=Detecting%20Complex%20Multi-step%20Attacks%20with%20Explainable%20Graph%20Neural%20Network&rft.jtitle=arXiv.org&rft.au=Liu,%20Wei&rft.date=2024-06-14&rft.eissn=2331-8422&rft_id=info:doi/&rft_dat=%3Cproquest%3E3057537880%3C/proquest%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=3057537880&rft_id=info:pmid/&rfr_iscdi=true |