AJSAGE: A intrusion detection scheme based on Jump-Knowledge Connection To GraphSAGE

Abstract

In the field of network security, attackers often utilize Advanced Persistent Threats (APT) to conduct host-based intrusions for prolonged information gathering, penetration and to cause serious damages. Recent studies have used provenance data containing rich contextual information to achieve effective detection of host-based APT. Extracting system entities (e.g., processes, files) and operations between entities in provenance data to construct a directed acyclic graph (DAG) is the key to realize attack detection by provenance graph. Previous studies extracted the features of the whole provenance graph, which did not fully capture the relationship between the nodes in the graph, and the extracted features were not accurate enough. Moreover, the original node feature information may be lost in the process of aggregation. Therefore, abnormal nodes are recognized in the detection process, leading to low detection performance and a high false alarm rate. Facing the challenge, we introduce AJSAGE, a framework based on graph neural networks. A novel anomaly detection method by adding attention mechanism and Jump-Knowledge Connection to GraphSAGE. It enables the integration of node information across hierarchical levels, improves the detection of complex attack patterns, and enhances the accuracy and generalization of the model in node feature representation. It is able to identify features and nodes that are closely related to the anomaly detection task in a more focused manner. We evaluate the performance of AJSAGE on three publicly available datasets, and the results demonstrate that it significantly outperforms multiple state-of-the-art methods for host intrusion detection.