One-Class Directed Heterogeneous Graph Neural Network for Intrusion Detection

Abstract

The Host-based Intrusion Detection System (HIDS) is widely used to safeguard the security of the enterprise environment and the main detection target of HIDS is the provenance graph. HIDS makes extensive use of the provenance graph which models the interactions between processes and other system entities (e.g. files), to assign anomaly scores to the provenance graph based on expert experience. However, the nonlinear interactions on the provenance graph cannot be captured by expert experience. In addition, attack data is difficult to obtain in the field of intrusion detection. To tackle these problems, we propose OC-DHetGNN (One-Class Directed Heterogeneous Graph Neural Network), an unsupervised anomaly detection method for intrusion detection by combining heterogeneous graph neural networks with the one-class neural network. Specifically, we first model the provenance graph as the attributed heterogeneous graph. Then we propose a directed heterogeneous graph neural network module, which is used to obtain the embedding of the heterogeneous graph and the nodes. After that, the embedding of the heterogeneous graph and the embedding of the node are fed into two one-class neural network modules respectively to output the anomaly score. Extensive experiments on real enterprise data sets have verified OC-DHetGNN is superior to the baseline.