Download PDFOpen PDF in browserPanThreat: Global Resource-Based Anomaly Detection for APTsEasyChair Preprint 156436 pages•Date: January 6, 2025AbstractAdvanced Persistent Threats (APTs), due to their stealthiness and complexity, have become a significant security challenge for modern enterprises, often causing severe economic losses. To address these threats, researchers have proposed using provenance graphs to model system entities and their dependencies, aiming to capture the complex scenarios of APT attacks. However, existing Provenance-based Intrusion Detection Systems (PIDS) still face the following challenges: (1) Historical interaction information loss due to the truncation of long-term interaction scenarios; (2) The difficulty in capturing long-distance dependencies leads to the loss of crucial contextual information; (3) Existing methods struggle to balance detection efficiency and granularity. We introduce PanThreat, an online detection system that performs fine-grained, real-time analysis of host system logs to identify malicious activities. PanThreat combines attributes encoding through Word2Vec and position encoding using Laplacian feature matrices, while retaining long-term interaction histories and effectively modeling long-range dependencies within provenance graphs. This integrated approach significantly enhances detection accuracy. Additionally, PanThreat leverages the parallel processing capabilities of Graph Transformers to improve detection efficiency. Evaluations on the DARPA E3 dataset and StreamSpot database demonstrate PanThreat's effectiveness in detecting complex APT attacks, outperforming four state-of-the-art methods while maintaining an average processing speed of 58,140 events per second. Keyphrases: Host Provenance, Threat Detection, transformer
|
