Enhanced small-scale APT knowledge graph embedding via spatio-temporal attribute reasoning and adversarial negative sampling

Advanced Persistent Threat (APT) represents a class of highly sophisticated and stealthy cyberattacks that pose significant challenges to traditional defense mechanisms. Knowledge Graph Embedding (KGE) techniques provide a promising approach for APT attack prediction by leveraging existing cybersecurity knowledge to infer potential attack behaviors. However, the effectiveness of existing KGE methods is severely hindered by the scarcity of APT attack knowledge and the sparsity of knowledge graph connectivity, resulting in suboptimal knowledge representation and predictive performance. We propose an enhanced APT knowledge graph embedding method called APT-ST-AN to address the limitations of incomplete and sparse data in small-scale APT knowledge graphs. The proposed model introduces spatio-temporal attribute reasoning to enrich positive APT attack examples, thereby expanding the knowledge base with inferred attack patterns. At the same time, the model utilizes adversarial negative sampling, combining adversarial example generation with synthetic example creation to produce high-quality negative examples that improve the training process of the model. By jointly expanding the APT knowledge from both positive and negative examples, APT-ST-AN improves the expressiveness and generalization of KGE models. Extensive experiments on multiple small-scale APT knowledge graphs demonstrate that APT-ST-AN consistently outperforms existing compared models. Notably, APT-ST-AN achieves a maximum Mean Reciprocal Rank (MRR) of 0.589 and Hits@10 of 0.673, yielding up to a 38.3% improvement over baseline methods. These results demonstrate that APT-ST-AN exhibits high predictive accuracy in APT attack inference, thereby enhancing the ability of cybersecurity systems to anticipate and mitigate sophisticated cyber threats.