ProvG-Searcher: A Graph Representation Learning Approach for Efficient Provenance Graph Search

TL;DR

ProvG-Searcher introduces a graph embedding-based method for efficient and accurate detection of known APT behaviors in system logs by transforming provenance graphs into vector representations for quick subgraph matching.

Contribution

It presents a novel graph representation learning approach that simplifies provenance graph search through order embeddings and graph partitioning, improving efficiency and accuracy.

Findings

Achieves over 99% accuracy in behavior detection

Maintains a false positive rate around 0.02%

Outperforms existing methods in experimental evaluations

Abstract

We present ProvG-Searcher, a novel approach for detecting known APT behaviors within system security logs. Our approach leverages provenance graphs, a comprehensive graph representation of event logs, to capture and depict data provenance relations by mapping system entities as nodes and their interactions as edges. We formulate the task of searching provenance graphs as a subgraph matching problem and employ a graph representation learning method. The central component of our search methodology involves embedding of subgraphs in a vector space where subgraph relationships can be directly evaluated. We achieve this through the use of order embeddings that simplify subgraph matching to straightforward comparisons between a query and precomputed subgraph representations. To address challenges posed by the size and complexity of provenance graphs, we propose a graph partitioning scheme and a behavior-preserving graph reduction method. Overall, our technique offers significant computational efficiency, allowing most of the search computation to be performed offline while incorporating a lightweight comparison step during query execution. Experimental results on standard datasets demonstrate that ProvG-Searcher achieves superior performance, with an accuracy exceeding 99% in detecting query behaviors and a false positive rate of approximately 0.02%, outperforming other approaches.