Title: Understanding and Bridging the Gap Between Unsupervised Network Representation Learning and Security Analytics
Author: Jiacen Xu, Xiaokui Shu and Zhou Li
Conference: 2024 IEEE Symposium on Security and Privacy (SP)
Paper: link
Code: https://github.com/C0ldstudy/Argus
Bibtex:
Main Idea
We revisit the previous Unsupervised Network Representation Learning (UNRL)-based Graph Security Analysis and argue that generic attack characteristics should be considered instead of a standard UNRL model in an attack-agnostic way. We design Argus with a new encoder and decoder considering discrete temporal graphs (DTG) to exploit the graph temporal dynamics. We evaluate Argus on LANL and OpTC datasets and achieve performance better than the SOTA.
Key insight
Issues of the previous papers: Issue-A: Gap between link prediction and attack detection. Issue-B: Missing edge features. Issue-C: Static graph modeling over long period.
Our solutions:
- To integrate the useful event fields as edge features, we designed a new encoder on top of Message Passing Neural Networks (MPNNs).
- Instead of training GSA model to achieve high accuracy, we adopt new loss functions AP Loss to optimize the model for high precision.
- For the downstream decoder, we redesign it to capture the community patterns that are likely exhibited by the attacker (e.g., lateral movement and port scanning), by adjusting previous methods in graph anomaly detection.
Framework
Evaluation
Datasets:
- LANL: https://csr.lanl.gov/data/cyber1/
- OpTC: https://github.com/FiveDirections/OpTC-data
Baselines:
- Netwalk: https://dl.acm.org/doi/10.1145/3219819.3220024
- PIKACHU: https://ieeexplore.ieee.org/document/9789921/
- VGRNN: https://arxiv.org/abs/1611.07308
- Euler: https://www.ndss-symposium.org/ndss-paper/auto-draft-227/
Experiment:
Overall Effectiveness:
Ablation Study:
Robustness:
