|
|
|
| Graph-adversarial learning framework integrating log semantics for APT detection |
Huixue LIU1( ),Xinqian LIU1,*( ),Shuai WANG1,Chuan ZHAO2,3,Jianguo DING4 |
1. School of Computer Science and Technology, Shandong University of Technology, Zibo 255000, China 2. School of Information Science and Engineer, University of Jinan, Jinan 250022, China 3. Shandong Key Laboratory of Ubiquitous Intelligent Computing, Jinan 250022, China 4. Zibo Public Security Traffic Management Service Center, Zibo 255000, China |
|
|
|
Abstract Advanced persistent threats (APTs) pose significant challenges to the security detection of large-scale multi-host systems. To address these challenges, a novel detection framework named GE-APT was proposed. First, critical log information and features were extracted, and semantic representations were obtained using the Sentence-BERT model. A self-supervised autoencoder was then employed to compress and refine these high-dimensional semantic features. Subsequently, a system provenance graph was constructed based on system entities and their interactions, with semantic edge features introduced to enhance the expressive power of the graph structure. To model the distribution of normal behavioral patterns at the node level, an improved generative adversarial network was adopted for adversarial learning, while the discriminator was designed using a graph attention mechanism to effectively identify anomalous activities. Finally, GE-APT achieved precision rates of 90.91% and 86.86% on datasets DARPA TC and OpTC, respectively, and outperformed existing typical detection methods in accuracy, recall, F1-score, and other metrics. These results validate the effectiveness of the proposed framework in detecting anomalous behaviors associated with APT attacks.
|
|
Received: 21 July 2025
Published: 16 July 2026
|
|
|
| Fund: 山东省泛在智能计算重点实验室开放基金资助. |
|
Corresponding Authors:
Xinqian LIU
E-mail: 1281310712@qq.com;lxq@sdut.edu.cn
|
融合日志语义与图对抗学习的APT检测框架
高级持续性威胁(APT)给大规模多主机系统的安全检测带来严峻挑战,为此提出名为GE-APT的新型检测框架. 提取关键日志信息与特征,利用Sentence-BERT模型获取语义特征,通过自监督自编码器降维压缩. 基于系统实体及其交互构建系统溯源图,引入语义边特征以增强图结构表达能力. 为了在节点级别建模正常实体行为特征分布,引入改进的生成对抗网络进行对抗学习,以图注意力机制构建判别器以识别异常行为. GE-APT在数据集DARPA TC和OpTC上的精确率分别为90.91%和86.86%,在准确率、召回率和F1值等评估指标上亦优于现有典型检测方法. 实验结果验证了所提框架在APT攻击异常行为检测方面的有效性.
关键词:
网络安全,
入侵检测,
高级持续性威胁(APT)检测,
图神经网络,
对抗学习
|
|
| [1] |
奇安信. 全球高级持续性威胁(APT)2023年度报告[R/OL].(2024-02-02)[2025-09-25]. https://www.qianxin.com/threat/reportdetail?report_id=310.
|
|
|
| [2] |
WENG Z, ZHANG W, ZHU T, et al RT-APT: a real-time APT anomaly detection method for large-scale provenance graph[J]. Journal of Network and Computer Applications, 2025, 233: 104036
doi: 10.1016/j.jnca.2024.104036
|
|
|
| [3] |
ZIPPERLE M, GOTTWALT F, CHANG E, et al Provenance-based intrusion detection systems: a survey[J]. ACM Computing Surveys, 2023, 55 (7): 1- 36
|
|
|
| [4] |
HUANG S, LIU Y, FUNG C, et al HitAnomaly: hierarchical transformers for anomaly detection in system log[J]. IEEE Transactions on Network and Service Management, 2020, 17 (4): 2064- 2076
doi: 10.1109/TNSM.2020.3034647
|
|
|
| [5] |
INAM M A, CHEN Y, GOYAL A, et al. SoK: history is a vast early warning system: auditing the provenance of system intrusions [C]// Proceedings of the IEEE Symposium on Security and Privacy. San Francisco: IEEE, 2023: 2620–2638.
|
|
|
| [6] |
XU L, ZHAO Z, ZHAO D, et al AJSAGE: a intrusion detection scheme based on jump-knowledge connection to GraphSAGE[J]. Computers and Security, 2025, 150: 104263
doi: 10.1016/j.cose.2024.104263
|
|
|
| [7] |
XU B, GONG Y, GENG X, et al ProcSAGE: an efficient host threat detection method based on graph representation learning[J]. Cybersecurity, 2024, 7 (1): 51
doi: 10.1186/s42400-024-00240-w
|
|
|
| [8] |
WANG S, WANG Z, ZHOU T, et al THREATRACE: detecting and tracing host-based threats in node level through provenance graph learning[J]. IEEE Transactions on Information Forensics and Security, 2022, 17: 3972- 3987
doi: 10.1109/TIFS.2022.3208815
|
|
|
| [9] |
李元诚, 罗昊, 王欣煜, 等 基于溯源图和注意力机制的APT攻击检测模型构建[J]. 通信学报, 2024, 45 (3): 117- 130 LI Yuancheng, LUO Hao, WANG Xinyu, et al Construction of advanced persistent threat attack detection model based on provenance graph and attention mechanism[J]. Journal on Communications, 2024, 45 (3): 117- 130
|
|
|
| [10] |
REIMERS N, GUREVYCH I. Sentence-BERT: sentence embeddings using Siamese BERT-networks [C]// Proceedings of the 2019 Conference on Empirical Methods in Natural Language Processing and the 9th International Joint Conference on Natural Language Processing (EMNLP-IJCNLP). Hong Kong: Association for Computational Linguistics, 2019: 3982–3992.
|
|
|
| [11] |
ORTAKCI Y, BORHAN B Optimizing SBERT for long text clustering: two novel approaches with empirical insights[J]. The Journal of Supercomputing, 2025, 81 (8): 950
doi: 10.1007/s11227-025-07414-4
|
|
|
| [12] |
SARIOGLU M, SARIYER G, SOZEN M E LLM-based embeddings for clustering and predicting integrated reporting quality levels of companies[J]. Discover Computing, 2025, 28 (1): 95
doi: 10.1007/s10791-025-09590-6
|
|
|
| [13] |
HE X, FANG A, YU D. Multilingual topic evolution and comparative analysis for electronic commerce research: a combination of BERTopic and SBERT [J]. Journal of Intelligent and Fuzzy Systems, 2024: 1–22.
|
|
|
| [14] |
NIE Y Automated essay scoring with SBERT embeddings and LSTM-Attention networks[J]. PeerJ Computer Science, 2025, 11: e2634
doi: 10.7717/peerj-cs.2634
|
|
|
| [15] |
LIU W, LI J, CHEN S GSRDR-GAN: global search result diversification ranking approach based on multi-head self-attention and GAN[J]. Neurocomputing, 2025, 648: 130723
doi: 10.1016/j.neucom.2025.130723
|
|
|
| [16] |
MAHBUB S, BAYZID M S EGRET: edge aggregated graph attention networks and transfer learning improve protein–protein interaction site prediction[J]. Briefings in Bioinformatics, 2022, 23 (2): bbab578
doi: 10.1093/bib/bbab578
|
|
|
| [17] |
HOSSAIN M N, NAHID M, MILAJERDI S, et al. Real-time attack scenario reconstruction from audit data [C]// 26th USENIX Security Symposium. Berkeley: USENIX Association, 2017: 487–504.
|
|
|
| [18] |
HOSSAIN M N, SHEIKHI S, SEKAR R. Combating dependence explosion in forensic analysis using alternative tag propagation semantics [C]// Proceedings of the IEEE Symposium on Security and Privacy. San Francisco: IEEE, 2020: 1139–1155.
|
|
|
| [19] |
HOSSAIN M N, WANG, J N, SEKAR R, et al. Dependence-preserving data compaction for scalable forensic analysis [C]// 27th USENIX Security Symposium. Berkeley: USENIX Association, 2018: 1723–1740.
|
|
|
| [20] |
ANJUM M M, IQBAL S, HAMELIN B. ANUBIS: a provenance graph-based framework for advanced persistent threat detection [C]// Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing. [S.l.]: ACM, 2022: 1684–1693.
|
|
|
| [21] |
LEE J S, FAN Y Y, CHENG C H, et al ML-based intrusion detection system for precise APT cyber-clustering[J]. Computers and Security, 2025, 149: 104209
doi: 10.1016/j.cose.2024.104209
|
|
|
| [22] |
ALSAHEEL A, NAN Y H, MA S Q, et al. A sequence-based learning approach for attack investigation [C]// 30th USENIX Security Symposium. Berkeley: USENIX Security, 2021: 3005–3022.
|
|
|
| [23] |
KAPOOR M, MELTON J, RIDENHOUR M, et al. PROV-GEM: automated provenance analysis framework using graph embeddings [C]// Proceedings of the 20th IEEE International Conference on Machine Learning and Applications. Pasadena: IEEE, 2022: 1720–1727.
|
|
|
| [24] |
LI Z, CHENG X, SUN L, et al A hierarchical approach for advanced persistent threat detection with attention-based graph neural networks[J]. Security and Communication Networks, 2021, 2021: 9961342
|
|
|
| [25] |
ZENGY J, WANG X, LIU J, et al. SHADEWATCHER: recommendation-guided cyber threat analysis using system audit records [C]// Proceedings of the IEEE Symposium on Security and Privacy. San Francisco: IEEE, 2022: 489–506.
|
|
|
| [26] |
JIN J, ZHU T, YUAN Q, et al PDCleaner: a multi-view collaborative data compression method for provenance graph-based APT detection systems[J]. Computers and Security, 2025, 152: 104359
doi: 10.1016/j.cose.2025.104359
|
|
|
| [27] |
王郅伟, 何睎杰, 易鑫, 等 基于APT活动全生命周期的攻击与检测综述[J]. 通信学报, 2024, 45 (9): 206- 228 WANG Zhiwei, HE Xijie, YI Xin, et al Survey of attack and detection based on the full life cycle of APT[J]. Journal on Communications, 2024, 45 (9): 206- 228
|
|
|
| [28] |
HOSSAIN M N, MILAJERDI S M, WANG J, et al. SLEUTH: real-time attack scenario reconstruction from COTS audit data [EB/OL]. (2018–01–06)[2025–09–25]. https://arxiv.org/pdf/1801.02062.
|
|
|
| [29] |
MILAJERDI S M, ESHETE B, GJOMEMO R, et al. POIROT: aligning attack behavior with kernel audit records for cyber threat hunting [C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. London: ACM, 2019: 1795–1812.
|
|
|
| [30] |
SATVAT K, GJOMEMO R, VENKATAKRISHNAN V N. Extractor: extracting attack behavior from threat reports [C]// Proceedings of the IEEE European Symposium on Security and Privacy. Vienna: IEEE, 2021: 598–615.
|
|
|
| [31] |
FORREST S, HOFMEYR S A, SOMAYAJI A, et al. A sense of self for Unix processes [C]// Proceedings 1996 IEEE Symposium on Security and Privacy. Oakland: IEEE, 2002: 120–128.
|
|
|
| [32] |
MANZOOR E, MILAJERDI S M, AKOGLU L. Fast memory-efficient anomaly detection in streaming heterogeneous graphs [C]// Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. San Francisco: ACM, 2016: 1035–1044.
|
|
|
| [33] |
HAN X, PASQUIER T, BATES A, et al. Unicorn: runtime provenance-based detector for advanced persistent threats [C]// Proceedings 2020 Network and Distributed System Security Symposium. San Diego: Internet Society, 2020: 1–15.
|
|
|
| [34] |
JIA Z, XIONG Y, NAN Y, et al. MAGIC: detecting advanced persistent threats via masked graph representation learning [EB/OL]. (2023–10–15)[2025–09–25]. https://arxiv.org/pdf/2310.09831.
|
|
|
| [35] |
ANJUM M M, IQBAL S, HAMELIN B. Analyzing the usefulness of the DARPA OpTC dataset in cyber threat detection research [C]// Proceedings of the 26th ACM Symposium on Access Control Models and Technologies. [S.l.]: ACM, 2021: 27–32.
|
|
|
| [36] |
FIVEDIRECTIONS. OpTC-data [EB/OL]. [2025–09–26]. https://github.com/FiveDirections/OpTC-data/blob/master/ecar.md.
|
|
|
| [37] |
ZIPPERLE M, ZHANG Y, CHANG E, et al PARGMF: a provenance-enabled automated rule generation and matching framework with multi-level attack description model[J]. Journal of Information Security and Applications, 2024, 81: 103682
doi: 10.1016/j.jisa.2023.103682
|
|
|
| [38] |
ALY A, IQBAL S, YOUSSEF A, et al MEGR-APT: a memory-efficient APT hunting system based on attack representation learning[J]. IEEE Transactions on Information Forensics and Security, 2024, 19: 5257- 5271
doi: 10.1109/TIFS.2024.3396390
|
|
|
| [39] |
AFNAN S, SADIA M, IQBAL S, et al. LogShield: a transformer-based APT detection system leveraging self-attention [EB/OL]. (2023–11–09)[2025–09–25]. https://arxiv.org/pdf/2311.05733.
|
|
|
| [40] |
HUANG Z, GU Y, ZHAO Q. One-class directed heterogeneous graph neural network for intrusion detection [C]// Proceedings of the 2022 the 6th International Conference on Innovation in Artificial Intelligence. Guangzhou: ACM, 2022: 178–184.
|
|
|
| [41] |
罗汉新, 王金双, 伍文昌 基于溯源图节点级别的APT检测[J]. 网络安全与数据治理, 2022, 41 (10): 49- 55 LUO Hanxin, WANG Jinshuang, WU Wenchang Detecting advanced persistent threats through provenance graph in node level[J]. Cyber Security and Data Governance, 2022, 41 (10): 49- 55
|
|
|
|
Viewed |
|
|
|
Full text
|
|
|
|
|
Abstract
|
|
|
|
|
Cited |
|
|
|
|
| |
Shared |
|
|
|
|
| |
Discussed |
|
|
|
|