Attentional Heterogeneous Graph Neural Network: Application to Program Reidentification

TL;DR

This paper introduces DeepHGNN, an attentional heterogeneous graph neural network designed to verify program identities by analyzing system behavior graphs, addressing the critical issue of program reidentification in cybersecurity.

Contribution

It presents a novel graph neural network model that leverages heterogeneous program behavior graphs for accurate program reidentification, a problem often overlooked in intrusion detection.

Findings

DeepHGNN outperforms existing methods on real-world data.

The model is robust to program version upgrades.

Effective in detecting disguised or malicious programs.

Abstract

Program or process is an integral part of almost every IT/OT system. Can we trust the identity/ID (e.g., executable name) of the program? To avoid detection, malware may disguise itself using the ID of a legitimate program, and a system tool (e.g., PowerShell) used by the attackers may have the fake ID of another common software, which is less sensitive. However, existing intrusion detection techniques often overlook this critical program reidentification problem (i.e., checking the program's identity). In this paper, we propose an attentional heterogeneous graph neural network model (DeepHGNN) to verify the program's identity based on its system behaviors. The key idea is to leverage the representation learning of the heterogeneous program behavior graph to guide the reidentification process. We formulate the program reidentification as a graph classification problem and develop an effective attentional heterogeneous graph embedding algorithm to solve it. Extensive experiments --- using real-world enterprise monitoring data and real attacks --- demonstrate the effectiveness of DeepHGNN across multiple popular metrics and the robustness to the normal dynamic changes like program version upgrades.