DeepHunter: A Graph Neural Network Based Approach for Robust Cyber Threat Hunting

TL;DR

DeepHunter employs a novel graph neural network architecture to enhance the robustness and accuracy of cyber threat hunting by matching provenance data against known attack behaviors, outperforming existing methods.

Contribution

The paper introduces a GNN-based approach with attribute and graph embedding networks for robust attack behavior matching in cyber threat hunting.

Findings

DeepHunter successfully detects all attack behaviors in tested scenarios.

It outperforms the state-of-the-art method Poirot in accuracy and robustness.

Effective in both real and synthetic APT attack scenarios.

Abstract

Cyber Threat hunting is a proactive search for known attack behaviors in the organizational information system. It is an important component to mitigate advanced persistent threats (APTs). However, the attack behaviors recorded in provenance data may not be completely consistent with the known attack behaviors. In this paper, we propose DeepHunter, a graph neural network (GNN) based graph pattern matching approach that can match provenance data against known attack behaviors in a robust way. Specifically, we design a graph neural network architecture with two novel networks: attribute embedding networks that could incorporate Indicators of Compromise (IOCs) information, and graph embedding networks that could capture the relationships between IOCs. To evaluate DeepHunter, we choose five real and synthetic APT attack scenarios. Results show that DeepHunter can hunt all attack behaviors, and the accuracy and robustness of DeepHunter outperform the state-of-the-art method, Poirot.