P3GNN: A Privacy-Preserving Provenance Graph-Based Model for APT Detection in Software Defined Networking

TL;DR

P3GNN is a novel privacy-preserving graph neural network model that combines federated learning and homomorphic encryption to detect APTs in SDN environments, effectively identifying zero-day attacks while maintaining data confidentiality.

Contribution

It introduces a new GCN-based model that integrates federated learning with encryption to enhance APT detection and data privacy in SDN networks.

Findings

Achieves 0.93 accuracy on DARPA TCE3 dataset

Maintains a low false positive rate of 0.06

Detects zero-day attacks through unsupervised learning

Abstract

Software Defined Networking (SDN) has brought significant advancements in network management and programmability. However, this evolution has also heightened vulnerability to Advanced Persistent Threats (APTs), sophisticated and stealthy cyberattacks that traditional detection methods often fail to counter, especially in the face of zero-day exploits. A prevalent issue is the inadequacy of existing strategies to detect novel threats while addressing data privacy concerns in collaborative learning scenarios. This paper presents P3GNN (privacy-preserving provenance graph-based graph neural network model), a novel model that synergizes Federated Learning (FL) with Graph Convolutional Networks (GCN) for effective APT detection in SDN environments. P3GNN utilizes unsupervised learning to analyze operational patterns within provenance graphs, identifying deviations indicative of security breaches. Its core feature is the integration of FL with homomorphic encryption, which fortifies data confidentiality and gradient integrity during collaborative learning. This approach addresses the critical challenge of data privacy in shared learning contexts. Key innovations of P3GNN include its ability to detect anomalies at the node level within provenance graphs, offering a detailed view of attack trajectories and enhancing security analysis. Furthermore, the models unsupervised learning capability enables it to identify zero-day attacks by learning standard operational patterns. Empirical evaluation using the DARPA TCE3 dataset demonstrates P3GNNs exceptional performance, achieving an accuracy of 0.93 and a low false positive rate of 0.06.