DocHero AI - Best paraphrasing and translation tool for academic and professional writing | DocHero AI - Best paraphrasing and translation tool for academic and professional writing

TFLAG:Towards Practical APT Detection via Deviation-Aware Learning on Temporal Provenance Graph

Wenhan Jiang, Tingting Chai, Hongri Liu et al. (5 total)

2025-01-13

ArXiv Vol. abs/2501.06997

10.48550/arxiv.2501.06997

摘要

Advanced Persistent Threat (APT) have grown increasingly complex and concealed, posing formidable challenges to existing Intrusion Detection Systems in identifying and mitigating these attacks. Recent studies have incorporated graph learning techniques to extract detailed information from provenance graphs, enabling the detection of attacks with greater granularity. Nevertheless, existing studies have largely overlooked the continuous yet subtle temporal variations in the structure of provenance...

查看文献

问题

The research addresses the challenge of detecting Advanced Persistent Threats (APTs) that are increasingly complex and concealed. Existing intrusion detection systems often overlook subtle temporal variations in provenance graphs, hindering accurate identification and mitigation of these attacks.

方法

The study introduces TFLAG, a self-supervised anomaly detection framework. TFLAG integrates temporal graph models for structural dynamic extraction with deviation networks for anomaly delineation. This framework identifies covert attack activities in provenance graphs by analyzing neighbor interaction data.

关键发现

Experimental results demonstrate that TFLAG accurately identifies time windows associated with APT attack behaviors without prior knowledge. It outperforms state-of-the-art methods in differentiating between attack events and system false positives by utilizing both attribute and temporal information.

3个要点

TFLAG effectively captures continuous yet subtle temporal variations in provenance graphs to detect APT attacks.
The integration of temporal sequence models with deviation networks enhances the detection of covert perturbation anomalies.
TFLAG's self-supervised approach reduces reliance on labeled data and improves accuracy in identifying attack events.

学术详情点击展开

干预措施:TFLAG framework: integrates temporal graph models with deviation networks.

研究设计:Self-supervised anomaly detection framework evaluated on public APT datasets.

结果指标:Accuracy in detecting APT attacks at window-level and graph-level.

统计方法:Evaluation metrics include precision, recall, accuracy, and AUC.

局限性:TFLAG's sensitivity to the timing and extent of manifest attack behaviors within designated windows. Misclassification of previously compromised events as normal behavior.

未来研究方向:Implementation of re-labeling and retraining in subsequent stages to effectively mitigate false positives associated with normal system behavior.

关键发现:TFLAG accurately captures low-frequency APT attack behaviors across large datasets while filtering out system irregularities.

临床意义:TFLAG improves the detection of APT attacks, reducing false positives and enhancing overall accuracy in identifying malicious activities within network systems.

生成于 12/27/2025