Slot: Provenance-Driven APT Detection through Graph Reinforcement Learning

TL;DR

Slot is a novel APT detection method that leverages provenance graphs and graph reinforcement learning to identify complex attack relationships, adapt to evolving threats, and automatically construct attack chains, outperforming existing techniques.

Contribution

The paper introduces Slot, a pioneering approach combining provenance graph analysis with graph reinforcement learning for adaptive, resilient APT detection and attack chain construction.

Findings

High detection accuracy on real-world datasets

Outperforms state-of-the-art methods in efficiency and robustness

Effectively supports APT defense strategies

Abstract

Advanced Persistent Threats (APTs) represent sophisticated cyberattacks characterized by their ability to remain undetected within the victim system for extended periods, aiming to exfiltrate sensitive data or disrupt operations. Existing detection approaches often struggle to effectively identify these complex threats, construct the attack chain for defense facilitation, or resist adversarial attacks. To overcome these challenges, we propose Slot, an advanced APT detection approach based on provenance graphs and graph reinforcement learning. Slot excels in uncovering multi-level hidden relationships, such as causal, contextual, and indirect connections, among system behaviors through provenance graph mining. By pioneering the integration of graph reinforcement learning, Slot dynamically adapts to new user activities and evolving attack strategies, enhancing its resilience against adversarial attacks. Additionally, Slot automatically constructs the attack chain according to detected attacks with clustering algorithms, providing precise identification of attack paths and facilitating the development of defense strategies. Evaluations with real-world datasets demonstrate Slot's outstanding accuracy, efficiency, adaptability, and robustness in APT detection, with most metrics surpassing state-of-the-art methods. Additionally, case studies conducted to assess Slot's effectiveness in supporting APT defense further establish it as a practical and reliable tool for cybersecurity protection.