Detecting Complex Multi-step Attacks with Explainable Graph Neural Network

TL;DR

This paper introduces Trace2Vec, a graph neural network-based method for detecting complex multi-step attacks that incorporates data augmentation, dynamic graph modeling, and explainability through Monte Carlo tree search, showing superior performance.

Contribution

The paper presents Trace2Vec, a novel approach combining data augmentation, continuous-time dynamic heterogeneous graph modeling, and explainability techniques for attack detection.

Findings

Outperforms existing methods in detection accuracy

Provides explainable attack detection results

Effectively augments rare attack samples

Abstract

Complex multi-step attacks have caused significant damage to numerous critical infrastructures. To detect such attacks, graph neural network based methods have shown promising results by modeling the system's events as a graph. However, existing methods still face several challenges when deployed in practice. First, there is a lack of sufficient real attack data especially considering the large volume of normal data. Second, the modeling of event graphs is challenging due to their dynamic and heterogeneous nature. Third, the lack of explanation in learning models undermines the trustworthiness of such methods in production environments. To address the above challenges, in this paper, we propose an attack detection method, Trace2Vec. The approach first designs an erosion function to augment rare attack samples, and integrates them into the event graphs. Next, it models the event graphs via a continuous-time dynamic heterogeneous graph neural network. Finally, it employs the Monte Carlo tree search algorithm to identify events with greater contributions to the attack, thus enhancing the explainability of the detection result. We have implemented a prototype for Trace2Vec, and the experimental evaluations demonstrate its superior detection and explanation performance compared to existing methods.