Winemaking: Extracting Essential Insights for Efficient Threat Detection in Audit Logs

TL;DR

Winemaking is a lightweight, knowledge distillation-based threat detection system that enhances accuracy and speed in analyzing audit log provenance graphs, effectively reducing neighbor noise and utilizing prior knowledge.

Contribution

The paper introduces Winemaking, a novel graph-based threat detection framework employing knowledge distillation and graph Laplacian regularization for improved efficiency and accuracy.

Findings

Achieves higher detection accuracy than existing IDS methods.

Operates 1.4 to 5.2 times faster than state-of-the-art solutions.

Effectively reduces neighbor noise in provenance graphs.

Abstract

Advanced Persistent Threats (APTs) are continuously evolving, leveraging their stealthiness and persistence to put increasing pressure on current provenance-based Intrusion Detection Systems (IDS). This evolution exposes several critical issues: (1) The dense interaction between malicious and benign nodes within provenance graphs introduces neighbor noise, hindering effective detection; (2) The complex prediction mechanisms of existing APTs detection models lead to the insufficient utilization of prior knowledge embedded in the data; (3) The high computational cost makes detection impractical. To address these challenges, we propose Winemaking, a lightweight threat detection system built on a knowledge distillation framework, capable of node-level detection within audit log provenance graphs. Specifically, Winemaking applies graph Laplacian regularization to reduce neighbor noise, obtaining smoothed and denoised graph signals. Subsequently, Winemaking employs a teacher model based on GNNs to extract knowledge, which is then distilled into a lightweight student model. The student model is designed as a trainable combination of a feature transformation module and a personalized PageRank random walk label propagation module, with the former capturing feature knowledge and the latter learning label and structural knowledge. After distillation, the student model benefits from the knowledge of the teacher model to perform precise threat detection. We evaluate Winemaking through extensive experiments on three public datasets and compare its performance against several state-of-the-art IDS solutions. The results demonstrate that Winemaking achieves outstanding detection accuracy across all scenarios and the detection time is 1.4 to 5.2 times faster than the current state-of-the-art methods.