Efficient intrusion detection via heterogeneous graph attention networks and parallel provenance analysis

IF 4.6 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Networks Pub Date : 2025-07-23 DOI:10.1016/j.comnet.2025.111552

Lin Wu , Yu-Lai Xie , Shi-Xun Zhao , Pan Zhou , Dan Feng , Avani Wildani , Ya-Feng Wu

{"title":"Efficient intrusion detection via heterogeneous graph attention networks and parallel provenance analysis","authors":"Lin Wu , Yu-Lai Xie , Shi-Xun Zhao , Pan Zhou , Dan Feng , Avani Wildani , Ya-Feng Wu","doi":"10.1016/j.comnet.2025.111552","DOIUrl":null,"url":null,"abstract":"<div><div>In recent years, Advanced Persistent Threats (APTs) have emerged as a significant and pervasive form of cyber attack that uses sophisticated, covert techniques to infiltrate and persist in vulnerable systems, posing a significant threat to businesses and organizations. Recent studies have highlighted the potential of using provenance for APT detection. Provenance is a kind of data that records the history and dependencies of system objects (such as files, processes, and sockets) and is usually converted into a provenance graph for analysis. However, the previous methods have several limitations : (1) The large amount of data generated by long-term APT attacks has a great storage overhead and reduces the analysis efficiency. (2) Requires prior attack knowledge and cannot cope with unknown attacks. (3) It fails to consider the rich semantic information in the provenance graph fully. In this paper, we propose IDS-HGAT, a novel intrusion detection system based on a heterogeneous graph attention network. The system can reduce the number of nodes by preprocessing while retaining the graph structure information. IDS-HGAT can consider the semantic information of different types of nodes and edges and the structure information of the provenance graph, and effectively aggregate the semantic information to build a classification model without constructing a rule base. In order to improve the detection efficiency, IDS-HGAT employs the Stream data type in Redis to build a message queue to support parallel storage and acquisition of provenance data. The experimental results show that IDS-HGAT is better than the existing state-of-the-art methods in terms of precision rate, false alarm rate, and time cost.</div></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"270 ","pages":"Article 111552"},"PeriodicalIF":4.6000,"publicationDate":"2025-07-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1389128625005195","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

In recent years, Advanced Persistent Threats (APTs) have emerged as a significant and pervasive form of cyber attack that uses sophisticated, covert techniques to infiltrate and persist in vulnerable systems, posing a significant threat to businesses and organizations. Recent studies have highlighted the potential of using provenance for APT detection. Provenance is a kind of data that records the history and dependencies of system objects (such as files, processes, and sockets) and is usually converted into a provenance graph for analysis. However, the previous methods have several limitations : (1) The large amount of data generated by long-term APT attacks has a great storage overhead and reduces the analysis efficiency. (2) Requires prior attack knowledge and cannot cope with unknown attacks. (3) It fails to consider the rich semantic information in the provenance graph fully. In this paper, we propose IDS-HGAT, a novel intrusion detection system based on a heterogeneous graph attention network. The system can reduce the number of nodes by preprocessing while retaining the graph structure information. IDS-HGAT can consider the semantic information of different types of nodes and edges and the structure information of the provenance graph, and effectively aggregate the semantic information to build a classification model without constructing a rule base. In order to improve the detection efficiency, IDS-HGAT employs the Stream data type in Redis to build a message queue to support parallel storage and acquisition of provenance data. The experimental results show that IDS-HGAT is better than the existing state-of-the-art methods in terms of precision rate, false alarm rate, and time cost.

查看原文本刊更多论文

基于异构图关注网络和并行源分析的高效入侵检测

近年来，高级持续性威胁（apt）已成为一种重要且普遍的网络攻击形式，它使用复杂、隐蔽的技术渗透并持续存在于易受攻击的系统中，对企业和组织构成重大威胁。最近的研究强调了利用来源进行APT检测的潜力。出处是一种记录系统对象（如文件、进程和套接字）的历史和依赖关系的数据，通常被转换为出处图以供分析。但是，以往的方法存在以下几个方面的局限性：(1)长期APT攻击产生的大量数据，存储开销大，降低了分析效率。(2)需要事先掌握攻击知识，无法应对未知攻击。(3)没有充分考虑种源图中丰富的语义信息。本文提出了一种基于异构图关注网络的入侵检测系统IDS-HGAT。该系统在保留图结构信息的前提下，通过预处理减少了节点数。IDS-HGAT可以在不构建规则库的情况下，综合考虑不同类型节点和边的语义信息以及种源图的结构信息，有效地对语义信息进行聚合，构建分类模型。为了提高检测效率，IDS-HGAT采用Redis中的Stream数据类型构建消息队列，支持对溯源数据的并行存储和获取。实验结果表明，IDS-HGAT在准确率、虚警率和时间成本方面都优于现有的先进方法。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Networks 工程技术-电信学

CiteScore

10.80

自引率

3.60%

发文量

434

审稿时长

8.6 months

期刊介绍： Computer Networks is an international, archival journal providing a publication vehicle for complete coverage of all topics of interest to those involved in the computer communications networking area. The audience includes researchers, managers and operators of networks as well as designers and implementors. The Editorial Board will consider any material for publication that is of interest to those groups.