MIRDETECTOR：应用恶意意图表示来增强APT异常检测

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-07-11 DOI:10.1016/j.cose.2025.104588

Hongmei Li , Tiantian Zhu , Jie Ying , Tieming Chen , Mingqi Lv , Jian-Ping Mei , Zhengqiu Weng , Lili Shi

{"title":"MIRDETECTOR：应用恶意意图表示来增强APT异常检测","authors":"Hongmei Li , Tiantian Zhu , Jie Ying , Tieming Chen , Mingqi Lv , Jian-Ping Mei , Zhengqiu Weng , Lili Shi","doi":"10.1016/j.cose.2025.104588","DOIUrl":null,"url":null,"abstract":"<div><div>Advanced Persistent Threats (APTs) infiltrate target systems covertly, exhibiting behavior that is difficult to detect using conventional detection methods. Posing significant risks to enterprise security. Data provenance technology is widely used in attack detection to counter these threats. Among the different types of Provenance-based Intrusion Detection Systems (PIDSes), anomaly-based PIDSes are gaining increasing attention due to their ability to counter zero-day vulnerabilities without relying on attack knowledge. The detection mechanism of anomaly-based PIDSes is based on modeling the system’s normal behavior patterns (structural/attribute features) to detect deviations in behavior. However, existing anomaly-based PIDSes are prone to a significant number of false positives due to benign data fluctuations, limiting their effectiveness against complex APT attacks. To address this, we propose MIRDETECTOR, a novel anomaly detection system for APT attacks. The core idea of MIRDETECTOR is that a node is considered malicious not only due to changes in its structural/attribute features but also because it exhibits a certain inclination toward malicious intent. Building on this idea, MIRDETECTOR models nodes from three dimensions: structural features, attribute features, and malicious intent representation. By employing lightweight models for training and detection, it effectively reduces the false positives and achieves efficient real-time detection. We have thoroughly evaluated MIRDETECTOR on several public datasets and compared it with state-of-the-art anomaly detection systems. The results demonstrate that MIRDETECTOR achieves excellent detection accuracy and recall. Compared to the baseline detection system, MIRDETECTOR has increased the node-level detection accuracy by up to 99% and the recall rate by up to 68%. This significantly mitigates the high false positives in traditional PIDSes that rely solely on structural/attribute features. MIRDetector demonstrates remarkable accuracy and efficiency in identifying complex threats. Its deployment will effectively mitigate the risks posed by APTs.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104588"},"PeriodicalIF":5.4000,"publicationDate":"2025-07-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"MIRDETECTOR: Applying malicious intent representation for enhanced APT anomaly detection\",\"authors\":\"Hongmei Li , Tiantian Zhu , Jie Ying , Tieming Chen , Mingqi Lv , Jian-Ping Mei , Zhengqiu Weng , Lili Shi\",\"doi\":\"10.1016/j.cose.2025.104588\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Advanced Persistent Threats (APTs) infiltrate target systems covertly, exhibiting behavior that is difficult to detect using conventional detection methods. Posing significant risks to enterprise security. Data provenance technology is widely used in attack detection to counter these threats. Among the different types of Provenance-based Intrusion Detection Systems (PIDSes), anomaly-based PIDSes are gaining increasing attention due to their ability to counter zero-day vulnerabilities without relying on attack knowledge. The detection mechanism of anomaly-based PIDSes is based on modeling the system’s normal behavior patterns (structural/attribute features) to detect deviations in behavior. However, existing anomaly-based PIDSes are prone to a significant number of false positives due to benign data fluctuations, limiting their effectiveness against complex APT attacks. To address this, we propose MIRDETECTOR, a novel anomaly detection system for APT attacks. The core idea of MIRDETECTOR is that a node is considered malicious not only due to changes in its structural/attribute features but also because it exhibits a certain inclination toward malicious intent. Building on this idea, MIRDETECTOR models nodes from three dimensions: structural features, attribute features, and malicious intent representation. By employing lightweight models for training and detection, it effectively reduces the false positives and achieves efficient real-time detection. We have thoroughly evaluated MIRDETECTOR on several public datasets and compared it with state-of-the-art anomaly detection systems. The results demonstrate that MIRDETECTOR achieves excellent detection accuracy and recall. Compared to the baseline detection system, MIRDETECTOR has increased the node-level detection accuracy by up to 99% and the recall rate by up to 68%. This significantly mitigates the high false positives in traditional PIDSes that rely solely on structural/attribute features. MIRDetector demonstrates remarkable accuracy and efficiency in identifying complex threats. Its deployment will effectively mitigate the risks posed by APTs.</div></div>\",\"PeriodicalId\":51004,\"journal\":{\"name\":\"Computers & Security\",\"volume\":\"157 \",\"pages\":\"Article 104588\"},\"PeriodicalIF\":5.4000,\"publicationDate\":\"2025-07-11\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computers & Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0167404825002779\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825002779","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

高级持续性威胁（Advanced Persistent Threats, apt）会隐蔽地渗透目标系统，其行为难以用传统的检测方法检测到。对企业安全构成重大风险。为了应对这些威胁，数据溯源技术被广泛应用于攻击检测中。在不同类型的基于来源的入侵检测系统（PIDSes）中，基于异常的PIDSes越来越受到关注，因为它们能够在不依赖攻击知识的情况下对抗零日漏洞。基于异常的PIDSes检测机制是基于对系统正常行为模式（结构/属性特征）的建模来检测行为偏差。然而，现有的基于异常的PIDSes容易由于良性数据波动而产生大量误报，从而限制了它们应对复杂APT攻击的有效性。为了解决这个问题，我们提出了MIRDETECTOR，一种针对APT攻击的新型异常检测系统。MIRDETECTOR的核心思想是，一个节点被认为是恶意的，不仅因为它的结构/属性特征的变化，而且因为它表现出某种恶意意图的倾向。基于这个想法，MIRDETECTOR从三个维度对节点进行建模：结构特征、属性特征和恶意意图表示。通过采用轻量级模型进行训练和检测，有效地减少了误报，实现了高效的实时检测。我们在几个公共数据集上对MIRDETECTOR进行了全面评估，并将其与最先进的异常检测系统进行了比较。结果表明，MIRDETECTOR具有良好的检测准确率和召回率。与基线检测系统相比，MIRDETECTOR将节点级检测准确率提高了99%，召回率提高了68%。这大大降低了传统的仅依赖于结构/属性特征的PIDSes的高误报率。MIRDetector在识别复杂威胁方面具有显著的准确性和效率。它的部署将有效降低apt带来的风险。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

MIRDETECTOR: Applying malicious intent representation for enhanced APT anomaly detection

Advanced Persistent Threats (APTs) infiltrate target systems covertly, exhibiting behavior that is difficult to detect using conventional detection methods. Posing significant risks to enterprise security. Data provenance technology is widely used in attack detection to counter these threats. Among the different types of Provenance-based Intrusion Detection Systems (PIDSes), anomaly-based PIDSes are gaining increasing attention due to their ability to counter zero-day vulnerabilities without relying on attack knowledge. The detection mechanism of anomaly-based PIDSes is based on modeling the system’s normal behavior patterns (structural/attribute features) to detect deviations in behavior. However, existing anomaly-based PIDSes are prone to a significant number of false positives due to benign data fluctuations, limiting their effectiveness against complex APT attacks. To address this, we propose MIRDETECTOR, a novel anomaly detection system for APT attacks. The core idea of MIRDETECTOR is that a node is considered malicious not only due to changes in its structural/attribute features but also because it exhibits a certain inclination toward malicious intent. Building on this idea, MIRDETECTOR models nodes from three dimensions: structural features, attribute features, and malicious intent representation. By employing lightweight models for training and detection, it effectively reduces the false positives and achieves efficient real-time detection. We have thoroughly evaluated MIRDETECTOR on several public datasets and compared it with state-of-the-art anomaly detection systems. The results demonstrate that MIRDETECTOR achieves excellent detection accuracy and recall. Compared to the baseline detection system, MIRDETECTOR has increased the node-level detection accuracy by up to 99% and the recall rate by up to 68%. This significantly mitigates the high false positives in traditional PIDSes that rely solely on structural/attribute features. MIRDetector demonstrates remarkable accuracy and efficiency in identifying complex threats. Its deployment will effectively mitigate the risks posed by APTs.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.