Efficient intrusion detection via heterogeneous graph attention networks and parallel provenance analysis

In recent years, Advanced Persistent Threats (APTs) have emerged as a significant and pervasive form of cyber attack that uses sophisticated, covert techniques to infiltrate and persist in vulnerable systems, posing a significant threat to businesses and organizations. Recent studies have highlighted the potential of using provenance for APT detection. Provenance is a kind of data that records the history and dependencies of system objects (such as files, processes, and sockets) and is usually converted into a provenance graph for analysis. However, the previous methods have several limitations : (1) The large amount of data generated by long-term APT attacks has a great storage overhead and reduces the analysis efficiency. (2) Requires prior attack knowledge and cannot cope with unknown attacks. (3) It fails to consider the rich semantic information in the provenance graph fully. In this paper, we propose IDS-HGAT, a novel intrusion detection system based on a heterogeneous graph attention network. The system can reduce the number of nodes by preprocessing while retaining the graph structure information. IDS-HGAT can consider the semantic information of different types of nodes and edges and the structure information of the provenance graph, and effectively aggregate the semantic information to build a classification model without constructing a rule base. In order to improve the detection efficiency, IDS-HGAT employs the Stream data type in Redis to build a message queue to support parallel storage and acquisition of provenance data. The experimental results show that IDS-HGAT is better than the existing state-of-the-art methods in terms of precision rate, false alarm rate, and time cost.