A Survey of Network Attack Investigation Based on Provenance Graph

QIU Jing; CHEN Rong-rong; ZHU Hao-jin; XIAO Yan-jun; YIN Li-hua; TIAN Zhi-hong

doi:10.12263/DZXB.20231057

您当前的位置：

首页 >

文章列表页 >

A Survey of Network Attack Investigation Based on Provenance Graph

SURVEY AND REVIEW | 更新时间：2025-12-24

- A Survey of Network Attack Investigation Based on Provenance Graph
- ACTA ELECTRONICA SINICA Vol. 52, Issue 7, Pages: 2529-2556(2024)
- 作者机构：
  
  1.广州大学网络空间安全学院,广东广州 510555
  2.鹏城实验室,广东深圳 518000
  3.上海交通大学计算机科学与工程系,上海 200240
  4.绿盟科技集团股份有限公司,北京 100089
- 作者简介：
- 基金信息：
  
  National Key R&D Program of China(2022ZD0119602);National Natural Science Foundation of China(62272114);Major Key Project of PCL(PCL2022A03);CCF-NSFOCUS Kunpeng Funds(CCF-NSFOCUS2023003)
- DOI：10.12263/DZXB.20231057
  CLC： TN915.08;
- Received：15 November 2023，
  
  Revised：2024-05-29，
  
  Published：25 July 2024
- 稿件说明：
移动端阅览
仇晶, 陈荣融, 朱浩瑾, 等. 基于溯源图的网络攻击调查研究综述[J]. 电子学报, 2024, 52(07): 2529-2556.

QIU Jing, CHEN Rong-rong, ZHU Hao-jin, et al. A Survey of Network Attack Investigation Based on Provenance Graph[J]. Acta Electronica Sinica, 2024, 52(07): 2529-2556.
仇晶, 陈荣融, 朱浩瑾, 等. 基于溯源图的网络攻击调查研究综述[J]. 电子学报, 2024, 52(07): 2529-2556. DOI：10.12263/DZXB.20231057

QIU Jing, CHEN Rong-rong, ZHU Hao-jin, et al. A Survey of Network Attack Investigation Based on Provenance Graph[J]. Acta Electronica Sinica, 2024, 52(07): 2529-2556. DOI：10.12263/DZXB.20231057

摘要

网络攻击调查是实现主动防御、溯源反制的重要手段.面向高隐蔽、强对抗的现代网络攻击，研究高效率、自动化攻击调查方法，提升己方快速响应复杂网络攻击能力，是智能网络攻防关键技术之一.现有研究通过将系统审计日志建模成可表达攻击事件因果依赖关系的溯源图，利用溯源图强大的关联分析和语义表达能力，对复杂隐蔽网络攻击进行调查，相较传统方法效果提升显著.在全面收集分析基于溯源图的攻击调查研究工作的基础上，根据溯源图利用方式及特征挖掘维度的差异，将基于溯源图的攻击调查方法划分为基于因果分析、基于深度表示学习和基于异常检测三类，总结凝练每类方法具体工作流程和通用框架.梳理溯源图优化方法，剖析相关技术从理论向产业落地的能力演变历程.归纳攻击调查常用数据集，对比分析基于溯源图的攻击调查代表性技术和性能指标，最后展望了该领域未来发展方向.

Abstract

Investigating network attacks is crucial for the implementation of proactive defenses and the formulation of tracing countermeasures. With the rise of sophisticated and stealthy network threats

the need to develop efficient and automated methods for investigations has become a pivotal aspect of advance intelligent network attack and defense capabilities. Existing studies have focused on modeling system audit logs into provenance graphs that represent causal dependencies of attack events. Leveraging the powerful associative analysis and semantic representation capabilities of provenance graphs

complex and stealthy network attacks can be effectively investigated

yielding superior results compared to conventional methods. This paper offers a systematic review of the literature on provenance-graph-based attack investigation

categorizing the diverse methodologies into three principal groups: causality analysis

deep representation learning

and anomaly detection. For each category

the paper succinctly presents the workflows and the core frameworks that underpin these methodologies. Additionally

it delves into the optimization techniques for provenance graphs and chronicles the evolution of these technologies from theoretical constructs to their application in industrial settings. This study methodically aggregates and reviews datasets prevalently utilized in attack investigation research

offering a comprehensive comparative analysis of representative techniques alongside their associated performance metrics

specifically within the ambit of provenance graph-based methodologies. Subsequently

it delineates the prospective directions for future research and development within this specialized field

thereby providing a structured roadmap for advancing the domain's academic and practical applications.

关键词

Keywords

references

Trellix . Stuxnet: What is Stuxnet? [EB/OL ] .( 2023 )[2023 ] . https://www.mcafee.com/enterprise/en-hk/security-awareness/ransomware/what-is-stuxnet.html https://www.mcafee.com/enterprise/en-hk/security-awareness/ransomware/what-is-stuxnet.html .

付钰 , 李洪成 , 吴晓平 , 等 . 基于大数据分析的APT攻击检测研究综述 [J ] . 通信学报 , 2015 , 36 ( 11 ): 1 - 14 .

FU Y , LI H C , WU X P , et al . Detecting APT attacks: A survey from the perspective of big data analysis [J ] . Journal on Communications , 2015 , 36 ( 11 ): 1 - 14 . (in Chinese)

吕广旭 . 基于机器学习的APT攻击流量异常检测方法研究 [D ] . 廊坊 : 防灾科技学院 , 2023 .

LV G X . Research on the Method of APT Attack Traffic Anomaly Detection Based on Machine Learning [D ] . Langfang : Institute of Disaster Prevention , 2023 . (in Chinese)

陈泽红 . 基于自适应模糊聚类的无监督APT攻击检测方法研究 [J ] . 网络安全技术与应用 , 2023 ( 7 ): 45 - 47 .

CHEN Z H . Research on unsupervised APT attack detection method based on adaptive fuzzy clustering [J ] . Network Security Technology & Application , 2023 ( 7 ): 45 - 47 . (in Chinese)

MANDIANT . MANDIANT: Exposing one of China’s Cyber Espionage Units [EB/OL ] . ( 2016-03-13 )[ 2023-04-13 ] . https://vipread.com/library/item/393 https://vipread.com/library/item/393 .

MAO B F , LIU J , LAI Y X , et al . MIF: A multi-step attack scenario reconstruction and attack chains extraction method based on multi-information fusion [J ] . Computer Networks , 2021 , 198 : 108340 .

ZHANG X , WU T , ZHENG Q H , et al . Multi-step attack detection based on pre-trained hidden Markov models [J ] . Sensors , 2022 , 22 ( 8 ): 2874 .

LI Y Z , LI Y M , WU B Y , et al . Invisible backdoor attack with sample-specific triggers [C ] // 2021 IEEE/CVF International Conference on Computer Vision (ICCV) . Piscataway : IEEE , 2021 : 16443 - 16452 .

LI S F , XUE M H , ZHAO B Z H , et al . Invisible backdoor attacks on deep neural networks via steganography and regularization [J ] . IEEE Transactions on Dependable and Secure Computing , 2021 , 18 ( 5 ): 2088 - 2105 .

MILAJERDI S M , ESHETE B , GJOMEMO R , et al . Propatrol: Attack investigation via extracted high-level tasks [C ] // International Conference on Information Systems Security . Cham : Springer , 2018 : 107 - 126 .

KING S T , CHEN P M . Backtracking intrusions [C ] // Proceedings of the nineteenth ACM symposium on Operating systems principles . New York : ACM , 2003 : 223 - 236 .

TAN C , WANG Q , WANG L N , et al . Attack provenance tracing in cyberspace: Solutions, challenges and future directions [J ] . IEEE Network , 2019 , 33 ( 2 ): 174 - 180 .

冷涛 , 蔡利君 , 于爱民 , 等 . 基于系统溯源图的威胁发现与取证分析综述 [J ] . 通信学报 , 2022 , 43 ( 7 ): 172 - 188 .

LENG T , CAI L J , YU A M , et al . Review of threat discovery and forensic analysis based on system provenance graph [J ] . Journal on Communications , 2022 , 43 ( 7 ): 172 - 188 . (in Chinese)

LI Z Y , CHEN Q A , YANG R Q , et al . Threat detection and investigation with system-level provenance graphs: A survey [EB/OL ] . ( 2020-06-02 )[ 2023-04-13 ] . http://arxiv.org/abs/2006.01722 http://arxiv.org/abs/2006.01722 .

INAM M A , CHEN Y F , GOYAL A , et al . SoK: History is a vast early warning system: Auditing the provenance of system intrusions [C ] // 2023 IEEE Symposium on Security and Privacy (SP) . Piscataway : IEEE , 2023 : 2620 - 2638 .

潘亚峰 , 朱俊虎 , 周天阳 . APT攻击场景重构方法综述 [J ] . 信息工程大学学报 , 2021 , 22 ( 1 ): 55 - 60, 80 .

PAN Y F , ZHU J H , ZHOU T Y . Survey on APT attack scenario reconstruction methods [J ] . Journal of Information Engineering University , 2021 , 22 ( 1 ): 55 - 60, 80 . (in Chinese)

ZIPPERLE M , GOTTWALT F , CHANG E , et al . Provenance-based intrusion detection systems: A survey [J ] . ACM Computing Surveys , 55 ( 7 ): 135 .

HAN X Y , PASQUIER T , SELTZER M . Provenance-based intrusion detection: Opportunities and challenges [C ] // Proceedings of the 10th USENIX Conference on Theory and Practice of Provenance . Berkeley : USENIX Association , 2018 : 3 .

HOSSAIN M N , MILAJERDI S M , WANG J , et al . SLEUTH: Real-time attack scenario reconstruction from COTS audit data [C ] // Proceedings of the 26th USENIX Conference on Security Symposium . Berkeley : USENIX Association , 2017 : 487 - 504 .

RAFAILIDIS D , AXENOPOULOS A , ETZOLD J , et al . Content-based tag propagation and tensor factorization for personalized item recommendation based on social tagging [J ] . ACM Transactions on Interactive Intelligent Systems , 2014 , 3 ( 4 ): 26 .

HOSSAIN M N , SHEIKHI S , SEKAR R . Combating dependence explosion in forensic analysis using alternative tag propagation semantics [C ] // 2020 IEEE Symposium on Security and Privacy (SP) . Piscataway : IEEE , 2020 : 1139 - 1155 .

KURNIAWAN K , EKELHART A , KIESLING E , et al . KRYSTAL: Knowledge graph-based framework for tactical attack discovery in audit data [J ] . Computers & Security , 2022 , 121 : 102828 .

XIONG C L , ZHU T T , DONG W H , et al . Conan: A practical real-time APT detection system with high accuracy and efficiency [J ] . IEEE Transactions on Dependable and Secure Computing , 2022 , 19 ( 1 ): 551 - 565 .

ZHU T T , YU J K , CHEN T M , et al . APTSHIELD: A stable, efficient and real-time APT detection system for linux hosts [EB/OL ] . ( 2021-12-16 )[ 2023-05-03 ] . http://arxiv.org/abs/2112.09008 http://arxiv.org/abs/2112.09008 .

LEE K H , ZHANG X Y , XU D Y . High accuracy attack provenance via binary-based execution partition [C ] // 20th Annual Network and Distributed System Security Symposium . San Diego : Internet Society , 2013 : 1 - 16 .

MA S Q , ZHANG X , XU D . Protracer: Towards practical provenance tracing by alternating between logging and tainting [C ] // 23rd Annual Network And Distributed System Security Symposium . San Diego : Internet Society , 2016 : 1 - 15 .

MA S Q , Z J , W F , et al . MPI: Multiple perspective attack investigation with semantic aware execution partitioning [C ] // Proceedings of the 26th USENIX Conference on Security Symposium . Berkeley : USENIX Association , 2017 : 1111 - 1128 .

ALHANAHNAH M , MA S Q , GEHANI A , et al . AutoMPI: Automated multiple perspective attack investigation with semantics aware execution partitioning [J ] . IEEE Transactions on Software Engineering , 2023 , 49 ( 4 ): 2761 - 2775 .

D'ELIA D C , COPPA E , NICCHI S , et al . SoK: Using dynamic binary instrumentation for security (and how you may get caught red handed) [C ] // Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security . New York : ACM , 2019 : 15 - 27 .

HASSAN W U , NOUREDDINE M A , DATTA P , et al . OmegaLog: High-fidelity attack investigation via transparent multi-layer log analysis [C ] // Proceedings 2020 Network and Distributed System Security Symposium . San Diego : Internet Society , 2020 : 24270 .

PAN Y , GE X T , FANG C R , et al . A systematic literature review of android malware detection using static analysis [J ] . IEEE Access , 2020 , 8 : 116363 - 116379 .

AGHAKHANI H , GRITTI F , MECCA F , et al . When malware is packin’ heat; limits of machine learning classifiers based on static analysis features [C ] // Proceedings 2020 Network and Distributed System Security Symposium . Reston : Internet Society , 2020 : 24310 .

MOSSBERG M , MANZANO F , HENNENFENT E , et al . Manticore: A user-friendly symbolic execution framework for binaries and smart contracts [C ] // 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE) . Piscataway : IEEE , 2019 : 1186 - 1189 .

HE J X , BALUNOVIĆ M , AMBROLADZE N , et al . Learning to fuzz from symbolic execution with application to smart contracts [C ] // Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security . New York : ACM , 2019 : 531 - 548 .

POEPLAU S , FRANCILLON A . Symbolic execution with SymCC: Don’t interpret, compile! [C ] // Proceedings of the 29th USENIX Conference on Security Symposium . Berkeley : USENIX Association , 2020 : 181 - 198 .

YU L , MA S , ZHANG Z , et al . ALchemist: Fusing application and audit logs for precise attack provenance without instrumentation [C ] // 28th Annual Network and Distributed System Security Symposium . Reston : Internet Society , 2021 : 1 - 18 .

MUGGLETON S H , LIN D H , TAMADDONI-NEZHAD A . Meta-interpretive learning of higher-order dyadic datalog: Predicate invention revisited [J ] . Machine Learning , 2015 , 100 ( 1 ): 49 - 73 .

KWON Y . MCI: Modeling-based causality inference in audit logging for attack investigation [C ] // 25th Annual Network and Distributed System Security Symposium . Reston : Internet Society , 2018 : 1 - 15 .

KWON Y , KIM D , SUMNER W N , et al . LDX: Causality inference by lightweight dual execution [C ] // Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems . New York : ACM , 2016 : 503 - 515 .

YANG R , MA S , XU H , et al . UIScope: Accurate, instrumentation-free, and visible attack investigation for GUI applications [C ] // 27th Annual Network and Distributed System Security Symposium . Reston : Internet Society , 2020 : 1 - 18 .

ALBERT B , TULLIS T . Measuring the User Experience: Collecting, Analyzing, and Presenting Usability Metrics [M ] . 3rd ed . Amsterdam : Morgan Kaufmann , 2022 .

MILAJERDI S M , GJOMEMO R , ESHETE B , et al . HOLMES: Real-time APT detection through correlation of suspicious information flows [EB/OL ] . ( 2018-10-03 )[ 2023-05-03 ] . http://arxiv.org/abs/1810.01594 http://arxiv.org/abs/1810.01594 .

JI S X , PAN S R , CAMBRIA E , et al . A survey on knowledge graphs: Representation, acquisition, and applications [J ] . IEEE Transactions on Neural Networks and Learning Systems , 2022 , 33 ( 2 ): 494 - 514 .

KOSTYLEV E V , REUTTER J L , ROMERO M , et al . SPARQL with property paths [C ] // International Semantic Web Conference . Cham : Springer , 2015 : 3 - 18 .

FANG P C , GAO P , LIU C L , et al . Back-propagating system dependency impact for attack investigation [C ] // Proceedings of the 31st USENIX Conference on Security Symposium . Berkeley : USENIX Association , 2022 : 2461 - 2478 .

HANNOUSSE A , YAHIOUCHE S . Handling webshell attacks: A systematic mapping and survey [J ] . Computers & Security , 2021 , 108 : 102366 .

CHAI Y H , DU L , QIU J , et al . Dynamic prototype network based on sample adaptation for few-shot malware detection [J ] . IEEE Transactions on Knowledge and Data Engineering , 2023 , 35 ( 5 ): 4754 - 4766 .

CHAI Y H , QIU J , YIN L H , et al . From data and model levels: Improve the performance of few-shot malware classification [J ] . IEEE Transactions on Network and Service Management , 2022 , 19 ( 4 ): 4248 - 4261 .

SYAKUR M A , KHOTIMAH B K , ROCHMAN E S , et al . Integration K-means clustering method and elbow method for identification of the best customer profile cluster [J ] . IOP Conference Series: Materials Science and Engineering , 2018 , 336 : 012017 .

JELODAR H , WANG Y L , YUAN C , et al . Latent dirichlet allocation (LDA) and topic modeling: Models, applications, a survey [J ] . Multimedia Tools and Applications , 2019 , 78 ( 11 ): 15169 - 15211 .

KHAZAEI A , GHASEMZADEH M , DERHAMI V . An automatic method for CVSS score prediction using vulnerabilities description [J ] . Journal of Intelligent & Fuzzy Systems , 2015 , 30 ( 1 ): 89 - 96 .

YADAV T , RAO A M . Technical aspects of cyber kill chain [C ] // International Symposium on Security in Computing and Communication . Cham : Springer , 2015 : 438 - 452 .

ZOU H T , GONG Z G , ZHANG N , et al . TrustRank: A Cold-Start tolerant recommender system [J ] . Enterprise Information Systems , 2015 , 9 ( 2 ): 117 - 138 .

TIAN Z H , SHI W , TAN Z Y , et al . Deep learning and dempster-shafer theory based insider threat detection [J/OL ] . Mobile Networks and Applications , 2020 . https://doi.org/10.1007/s11036-020-01656-7 https://doi.org/10.1007/s11036-020-01656-7 .

ALLEY E C , KHIMULYA G , BISWAS S , et al . Unified rational protein engineering with sequence-based deep representation learning [J ] . Nature Methods , 2019 , 16 : 1315 - 1322 .

ZHU A Z , YUAN L Z , CHANEY K , et al . Unsupervised event-based learning of optical flow, depth, and egomotion [C ] // 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR) . Piscataway : IEEE , 2019 : 989 - 997 .

HIGUERA J R B , HIGUERA J B , GARCÍA J L T , et al . Building a dataset through attack pattern modeling and analysis system [J ] . Computers & Electrical Engineering , 2022 , 97 : 107614 .

PRABAKARAN S , RAMAR R , HUSSAIN I , et al . Predicting attack pattern via machine learning by exploiting stateful firewall as virtual network function in an SDN network [J ] . Sensors , 2022 , 22 ( 3 ): 709 .

ALSAHEEL A , NAN Y , MA S , et al . ATLAS: A sequence-based learning approach for attack investigation [C ] // Proceedings of the 30th USENIX Conference on Security Symposium . Berkeley : USENIX Association , 2021 : 3005 - 3022 .

SHARMA S , GOSAIN A , JAIN S . A review of the oversampling techniques in class imbalance problem [C ] // International Conference on Innovative Computing and Communications . Singapore : Springer , 2022 : 459 - 472 .

MOHAMMED R , RAWASHDEH J , ABDULLAH M . Machine learning with oversampling and undersampling techniques: Overview study and experimental results [C ] // 2020 11th International Conference on Information and Communication Systems (ICICS) . Piscataway : IEEE , 2020 : 243 - 248 .

BAHADIR C D , WANG A Q , DALCA A V , et al . Deep-learning-based optimization of the under-sampling pattern in MRI [J ] . IEEE Transactions on Computational Imaging , 2020 , 6 : 1139 - 1152 .

DAI Q , LIU J W , LIU Y . Multi-granularity relabeled under-sampling algorithm for imbalanced data [J ] . Applied Soft Computing , 2022 , 124 : 109083 .

YU Y , SI X S , HU C H , et al . A review of recurrent neural networks: LSTM cells and network architectures [J ] . Neural Computation , 2019 , 31 ( 7 ): 1235 - 1270 .

VAN EDE T , AGHAKHANI H , SPAHN N , et al . DEEPCASE: Semi-supervised contextual analysis of security events [C ] // 2022 IEEE Symposium on Security and Privacy (SP) . Piscataway : IEEE , 2022 : 522 - 539 .

ZHOU Z H . Semi-supervised learning [M ] // Machine Learning . Singapore : Springer , 2021 : 315 - 341 .

PEI K , GU Z , SALTAFORMAGGIO B , et al . HERCULE: Attack story reconstruction via community discovery on correlated log graph [C ] // Proceedings of the 32nd Annual Conference on Computer Security Applications . New York : ACM , 2016 : 583 - 595 .

XU Z Q , FANG P C , LIU C L , et al . DEPCOMM: Graph summarization on system audit logs for attack investigation [C ] // 2022 IEEE Symposium on Security and Privacy (SP) . Piscataway : IEEE , 2022 : 540 - 557 .

XIA F , LIU J Y , NIE H S , et al . Random walks: A review of algorithms and applications [J ] . IEEE Transactions on Emerging Topics in Computational Intelligence , 2020 , 4 ( 2 ): 95 - 107 .

LAZARIDOU A , PHAM N T , BARONI M . Combining language and vision with a multimodal skip-gram model [EB/OL ] . ( 2015-06-12 )[ 2023-05-03 ] . http://arxiv.org/abs/1501.02598 http://arxiv.org/abs/1501.02598 .

CIPRESSO P , GIGLIOLI I A C , RAYA M A , et al . The past, present, and future of virtual and augmented reality research: A network and cluster analysis of the literature [J ] . Frontiers in Psychology , 2018 , 9 : 2086 .

CHUNAEV P . Community detection in node-attributed social networks: A survey [J ] . Computer Science Review , 2020 , 37 : 100286 .

TENG X Y , LIU J , LI M M . Overlapping community detection in directed and undirected attributed networks using a multiobjective evolutionary algorithm [J ] . IEEE Transactions on Cybernetics , 2021 , 51 ( 1 ): 138 - 150 .

ALSENTZER E , FINLAYSON S G , LI M M , et al . Subgraph neural networks [C ] // Proceedings of the 34th International Conference on Neural Information Processing Systems . New York : ACM , 2020 : 8017 - 8029 .

RIBEIRO P , PAREDES P , SILVA M E P , et al . A survey on subgraph counting: Concepts, algorithms, and applications to network motifs and graphlets [J ] . ACM Computing Surveys , 54 ( 2 ): 28 .

HU W , ARDESHIRICHAM A , KASTNER R . Hardware information flow tracking [J ] . ACM Computing Surveys , 54 ( 4 ): 83 .

LALITHSENA S , PERERA S , KAPANIPATHI P , et al . Domain-specific hierarchical subgraph extraction: A recommendation use case [C ] // 2017 IEEE International Conference on Big Data (Big Data) . Piscataway : IEEE , 2017 : 666 - 675 .

SCHUMAN C D , HAMILTON K , MINTZ T , et al . Shortest path and neighborhood subgraph extraction on a spiking memristive neuromorphic implementation [C ] // Proceedings of the 7th Annual Neuro-inspired Computational Elements Workshop . New York : ACM , 2019 : 1 - 6 .

CAI H Y , ZHENG V W , CHANG K C C . A comprehensive survey of graph embedding: Problems, techniques, and applications [J ] . IEEE Transactions on Knowledge and Data Engineering , 2018 , 30 ( 9 ): 1616 - 1637 .

ZENG J , CHUA Z L , CHEN Y , et al . WATSON: Abstracting behaviors from audit logs via aggregation of contextual semantics [C ] // 28th Annual Network and Distributed System Security Symposium . Reston : Internet Society , 2021 : 1 - 18 .

TARJAN R . Depth-first search and linear graph algorithms‍ [J ] . SIAM Journal on Computing , 1972 , 1 ( 2 ): 146 - 160 .

BUTTCHER S , CLARKE C L , CORMACK G V . Information Retrieval: Implementing and Evaluating Search Engines [M ] . Cambridge : MIT Press , 2016 .

SEN P C , HAJRA M , GHOSH M . Supervised classification algorithms in machine learning: A survey and review [C ] // Emerging Technology in Modelling and Graphics: Proceedings of IEM Graph 2018 . Singapore : Springer , 2020 : 99 - 111 .

YIM O , RAMDEEN K T . Hierarchical cluster analysis: Comparison of three linkage measures and application to psychological data [J ] . The Quantitative Methods for Psychology , 2015 , 11 ( 1 ): 8 - 21 .

THONGTAN T , PHIENTHRAKUL T . Sentiment classification using document embeddings trained with cosine similarity [C ] // Proceedings of the 57th Annual Meeting of the Association for Computational Linguistics: Student Research Workshop . Stroudsburg : ACL , 2019 : 407 - 414 .

AGRAWAL S , AGRAWAL J . Survey on anomaly detection using data mining techniques [J ] . Procedia Computer Science , 2015 , 60 : 708 - 713 .

李忠 , 靳小龙 , 庄传志 , 等 . 面向图的异常检测研究综述 [J ] . 软件学报 , 2021 , 32 ( 1 ): 167 - 193 .

LI Z , JIN X L , ZHUANG C Z , et al . Overview on graph based anomaly detection [J ] . Journal of Software , 2021 , 32 ( 1 ): 167 - 193 . (in Chinese)

HASSAN W U , GUO S , LI D , et al . Nodoze: Combatting threat alert fatigue with automated provenance triage [C ] // 26th Annual Network and Distributed System Security Symposium . Reston : Internet Society , 2019 : 1 - 15 .

WANG Q , HASSAN W U , LI D , et al . You are what you do: Hunting stealthy malware via data provenance analysis [C ] // 27th Annual Network and Distributed System Security Symposium . Reston : Internet Society , 2020 : 1 - 17 .

XIE Y L , FENG D , HU Y C , et al . Pagoda: A hybrid approach to enable efficient real-time provenance based intrusion detection in big data environments [J ] . IEEE Transactions on Dependable and Secure Computing , 2020 , 17 ( 6 ): 1283 - 1296 .

LIU F , WEN Y , ZHANG D , et al . Log2vec: A heterogeneous graph embedding based approach for detecting cyber threats within enterprise [C ] // Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security . New York : ACM , 2019 : 1777 - 1794 .

石川 , 王睿嘉 , 王啸 . 异质信息网络分析与应用综述 [J ] . 软件学报 , 2022 , 33 ( 2 ): 598 - 621 .

SHI C , WANG R J , WANG X . Survey on heterogeneous information networks analysis and applications [J ] . Journal of Software , 2022 , 33 ( 2 ): 598 - 621 . (in Chinese)

HOU L , LI J M , GU Z Q , et al . PANNER: POS-aware nested named entity recognition through heterogeneous graph neural network [J/OL ] . IEEE Transactions on Computational Social Systems , 2022 . https://ieeexplore.ieee.org/document/9745261 https://ieeexplore.ieee.org/document/9745261 .

LI Z T , CHENG X , SUN L X , et al . A hierarchical approach for advanced persistent threat detection with attention-based graph neural networks [J ] . Security and Communication Networks , 2021 , 2021 : 9961342 .

ZENGY J , WANG X , LIU J , et al . SHADEWATCHER: Recommendation-guided cyber threat analysis using system audit records [C ] // 2022 IEEE Symposium on Security and Privacy (SP) . Piscataway : IEEE , 2022 : 489 - 506 .

MANZOOR E , MILAJERDI S M , AKOGLU L . Fast memory-efficient anomaly detection in streaming heterogeneous graphs [C ] // Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining . New York : ACM , 2016 : 1035 - 1044 .

HAN X Y , PASQUIER T , BATES A , et al . UNICORN: Runtime provenance-based detector for advanced persistent threats [C ] // Network and Distributed Systems Security (NDSS) Symposium 2020 . Reston : Internet Society , 2020 : 24046 .

RIECK B , BOCK C , BORGWARDT K . A persistent weisfeiler-lehman procedure for graph classification [C ] // Proceedings of the 36th International Conference on Machine Learning . Long Beach : PMLR , 2019 : 5448 - 5458 .

YANG F , XU J C , XIONG C L , et al . PROGRAPHER: An anomaly detection system based on provenance graph embedding [C ] // Proceedings of the 32nd USENIX Conference on Security Symposium . Berkeley : USENIX Association , 2023 : 4355 - 4372 .

CHURCH K W . Word2Vec [J ] . Natural Language Engineering , 2017 , 23 ( 1 ): 155 - 162 .

DOUZI S , AMAR M , OUAHIDI B EL , et al . Towards a new spam filter based on PV-DM (paragraph vector-distributed memory approach) [J ] . Procedia Computer Science , 2017 , 110 : 486 - 491 .

WANG S , WANG Z L , ZHOU T , et al . ThreaTrace: Detecting and tracing host-based threats in node level through provenance graph learning [EB/OL ] . ( 2021-11-08 )[ 2023-05-03 ] . http://arxiv.org/abs/2111.04333 http://arxiv.org/abs/2111.04333 .

HAMILTON W L , YING R , LESKOVEC J . Inductive representation learning on large graphs [C ] // Proceedings of the 31st International Conference on Neural Information Processing Systems . New York : ACM , 2017 : 1025 - 1035 .

BORDES A , USUNIER N , GARCIA-DURÁN A , et al . Translating embeddings for modeling multi-relational data [C ] // Proceedings of the 26th International Conference on Neural Information Processing Systems . New York : ACM , 2013 : 2787 - 2795 .

LIN Y K , LIU Z Y , SUN M S , et al . Learning entity and relation embeddings for knowledge graph completion [C ] // Proceedings of the Twenty-Ninth AAAI Conference on Artificial Intelligence . New York : ACM , 2015 : 2181 - 2187 .

VASWANI A , SHAZEER N , PARMAR N , et al . Attention is all you need [C ] // Proceedings of the 31st International Conference on Neural Information Processing Systems . New York : ACM , 2017 : 6000 - 6010 .

HAN K , XIAO A , WU E H , et al . Transformer in transformer [C ] // Advances in Neural Information Processing Systems . Virtual : PMLR , 2021 : 15908 - 15919 .

YANG D Q , LI B , RETTIG L , et al . HistoSketch: Fast similarity-preserving sketching of streaming histograms with concept drift [C ] // 2017 IEEE International Conference on Data Mining (ICDM) . Piscataway : IEEE , 2017 : 545 - 554 .

NARAYANAN A , CHANDRAMOHAN M , VENKATESAN R , et al . Graph2vec: Learning distributed representations of graphs [EB/OL ] . ( 2017-07-17 )[ 2023-05-03 ] . http://arxiv.org/abs/1707.05005 http://arxiv.org/abs/1707.05005 .

MA M X , NGAN H Y T , LIU W . Density-based outlier detection by local outlier factor on largescale traffic data [J ] . Electronic Imaging , 2016 , 28 ( 14 ): 1 - 4 .

PARK H S , JUN C H . A simple and fast algorithm for K-medoids clustering [J ] . Expert Systems with Applications , 2009 , 36 ( 2 ): 3336 - 3341 .

SHANI G , GUNAWARDANA A . Evaluating recommendation systems [M ] // Recommender Systems Handbook . Boston : Springer , 2011 : 257 - 297 .

GUO Z X , ZHU L G , HAN L . Research on short text classification based on RoBERTa-TextRCNN [C ] // 2021 International Conference on Computer Information Science and Artificial Intelligence (CISAI) . Piscataway : IEEE , 2021 : 845 - 849 .

LEE K H , ZHANG X Y , XU D Y . LogGC: Garbage collecting audit log [C ] // Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security . New York : ACM , 2013 : 1005 - 1016 .

TANG Y T , LI D , LI Z C , et al . NodeMerge: Template based efficient data reduction for big-data causality analysis [C ] // Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security . New York : ACM , 2018 : 1324 - 1337 .

XU Z , WU Z Y , LI Z C , et al . High fidelity data reduction for big data security dependency analyses [C ] // Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security . New York : ACM , 2016 : 504 - 516 .

HOSSAIN M N , WANG J , WEISSE O , et al . Dependence-preserving data compaction for scalable forensic analysis [C ] // Proceedings of the 27th USENIX Conference on Security Symposium . Berkeley : USENIX Association , 2018 : 1723 - 1740 .

ZHU T T , WANG J Y , RUAN L Q , et al . General, efficient, and real-time data compaction strategy for APT forensic analysis [J ] . IEEE Transactions on Information Forensics and Security , 2021 , 16 : 3312 - 3325 .

FEI P , LI Z , WANG Z , et al . SEAL: Storage-efficient causality analysis on enterprise logs with query-friendly compression [C ] // Proceedings of the 30th USENIX Conference on Security Symposium . Berkeley : USENIX Association , 2021 : 2987 - 3004 .

DING H , YAN S , ZHAI J , et al . ELISE: A storage efficient logging system powered by redundancy reduction and representation learning [C ] /// Proceedings of the 30th USENIX Conference on Security Symposium . Berkeley : USENIX Association , 2021 : 3023 - 3040 .

DING H L , ZHAI J , DENG D , et al . The case for learned provenance graph storage systems [C ] // Proceedings of the 32nd USENIX Conference on Security Symposium . Berkeley : USENIX Association , 2023 : 3277 - 3294 .

ANJUM M M , IQBAL S , HAMELIN B . Analyzing the Usefulness of the DARPA OpTC dataset in cyber threat detection research [C ] // Proceedings of the 26th ACM Symposium on Access Control Models and Technologies . New York : ACM , 2021 : 27 - 32 .

HASSAN W U , BATES A , MARINO D . Tactical provenance analysis for endpoint detection and response systems [C ] // 2020 IEEE Symposium on Security and Privacy (SP) . Piscataway : IEEE , 2020 : 1172 - 1189 .

DONG F , WANG L , NIE X , et al . DISTDET: A cost-effective distributed cyber threat detection system [C ] // Proceedings of the 32nd USENIX Conference on Security Symposium . Berkeley : USENIX Association , 2023 : 6575 - 6592 .

轩勃娜 , 李进 . 基于改进CNN的恶意软件分类方法‍ [J ] . 电子学报 , 2023 , 51 ( 5 ): 1187 - 1197 .

XUAN B N , LI J . Malware classification method based on improved CNN [J ] . Acta Electronica Sinica , 2023 , 51 ( 5 ): 1187 - 1197 . (in Chinese)

严莉 , 张凯 , 徐浩 , 等 . 基于图注意力机制和Transformer的异常检测 [J ] . 电子学报 , 2022 , 50 ( 4 ): 900 - 908 .

YAN L , ZHANG K , XU H , et al . Abnormal detection based on graph attention mechanisms and Transformer‍ [J ] . Acta Electronica Sinica , 2022 , 50 ( 4 ): 900 - 908 . (in Chinese)

郑锐 , 汪秋云 , 林卓庞 , 等 . 一种基于威胁情报层次特征集成的挖矿恶意软件检测方法 [J ] . 电子学报 , 2022 , 50 ( 11 ): 2707 - 2715 .

ZHENG R , WANG Q Y , LIN Z P , et al . Cryptojacking malware hunting: A method based on ensemble learning of hierarchical threat intelligence feature [J ] . Acta Electronica Sinica , 2022 , 50 ( 11 ): 2707 - 2715 . (in Chinese)

Views

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Variable Horizon Multi-Directional Scanning Method for Time Series Anomaly Detection

Spectrum Anomaly Detection Algorithm Based on the Fusion of Depth Feature

Deep Adversarial Learning Latent Representation Distribution Model for Anomaly Detection

Related Author

HUANG Yu-zhe

GUAN Yong-yuan

WEI Song-jie

PENG Chuang

WANG Lun-wen

HU Wei-lin

XI Liang

LIU Han

Related Institution

School of Computer Science and Engineering, School of Cyber Science and Engineering, Nanjing University of Science and Technology

College of Electronic Engineering, National University of Defense Technology

School of Computer Science and Technology， Harbin University of Science and Technology

College of Electronic Engineering， National University of Defense Technology

School of Information, Renmin University of China

⁰