Proceedings Article10.1145/3319535.3363224
Log2vec: A Heterogeneous Graph Embedding Based Approach for Detecting Cyber Threats within Enterprise
Fucheng Liu,Yu Wen,Zhang Dongxue,Xihe Jiang,Xinyu Xing,Dan Meng +5 more
- 06 Nov 2019
- pp 1777-1794
258
TL;DR: This work proposes log2vec, a heterogeneous graph embedding based modularized method that remarkably outperforms state-of-the-art approaches, such as deep learning and hidden markov model (HMM), and shows its capability to detect malicious events in various attack scenarios.
read more
Abstract: Conventional attacks of insider employees and emerging APT are both major threats for the organizational information system. Existing detections mainly concentrate on users' behavior and usually analyze logs recording their operations in an information system. In general, most of these methods consider sequential relationship among log entries and model users' sequential behavior. However, they ignore other relationships, inevitably leading to an unsatisfactory performance on various attack scenarios. We propose log2vec, a heterogeneous graph embedding based modularized method. First, it involves a heuristic approach that converts log entries into a heterogeneous graph in the light of diverse relationships among them. Next, it utilizes an improved graph embedding appropriate to the above heterogeneous graph, which can automatically represent each log entry into a low-dimension vector. The third component of log2vec is a practical detection algorithm capable of separating malicious and benign log entries into different clusters and identifying malicious ones. We implement a prototype of log2vec. Our evaluation demonstrates that log2vec remarkably outperforms state-of-the-art approaches, such as deep learning and hidden markov model (HMM). Besides, log2vec shows its capability to detect malicious events in various attack scenarios.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
Patent
Network space security threat detection method and system based on heterogeneous graph embedding
Yu Wen,Fucheng Liu,Zhang Dongxue,Boyang Zhang,Chun Yang,Du Yingying,Zheng Yang,Dan Meng +7 more
- 03 Apr 2020
TL;DR: In this paper, a heterogeneous graph embedding-based network space security threat detection method and system is presented, which comprises the steps of obtaining entity behavior data, associating all data items in the entity behavior according to the meta-attribute association relationship to obtain a data item sequence, and constructing a heterogenous graph based on thedata item sequence.
2
•Posted Content
Hopper: Modeling and Detecting Lateral Movement (Extended Report).
Grant Ho,Mayank Dhiman,Devdatta Akhawe,Vern Paxson,Stefan Savage,Geoffrey M. Voelker,David Wagner +6 more
TL;DR: Hopper as mentioned in this paper constructs a graph of login activity among internal machines and then identifies suspicious sequences of loginsthat correspond to lateral movement, and leverages this path inference algorithm, in conjunction with a set of detection rules and a new anomaly scoring algorithm, to surface the login paths most likely to reflect lateral movement.
2
Leveraging Token-Based Representation to Detect Lateral Movement
Jie Liu,Jinqiao Shi +1 more
- 14 Apr 2023
TL;DR: An unsupervised attention-based GRU model that leverages event tokenization method to ensure accurateness is introduced, the model removes the ad-hoc feature engineering phases and focuses on the remaining ones with improved accuracy.
2
Auditing Frameworks Need Resource Isolation: A Systematic Study on the Super Producer Threat to System Auditing and Its Mitigation
Peng Jiang,Ruizhe Huang,Ding Li,Yao Guo,Xiangqun Chen,Jianhai Luan,Yuxin Ren,Xinwei Hu +7 more
- 29 Jul 2023
TL;DR: A novel auditing framework, NODROP, is proposed, which isolates provenance data generated by different processes with a threadlet-based architecture design, and can ensure the integrity of the auditing frameworks.
HLMD: Detecting Lateral Movement Using Heterogeneous Graph Model
Yiru Gong,Xueying Han,D. Du,Xichen Du,Bo-Sian Jiang,Tian Tian,Zhigang Lu +6 more
- 17 Dec 2023
1
References
•Proceedings Article
Efficient Estimation of Word Representations in Vector Space
Tomas Mikolov,Kai Chen,Greg S. Corrado,Jeffrey Dean +3 more
- 16 Jan 2013
TL;DR: Two novel model architectures for computing continuous vector representations of words from very large data sets are proposed and it is shown that these vectors provide state-of-the-art performance on the authors' test set for measuring syntactic and semantic word similarities.
27.5K
•Proceedings Article
Distributed Representations of Words and Phrases and their Compositionality
Tomas Mikolov,Ilya Sutskever,Kai Chen,Greg S. Corrado,Jeffrey Dean +4 more
- 05 Dec 2013
TL;DR: This paper presents a simple method for finding phrases in text, and shows that learning good vector representations for millions of phrases is possible and describes a simple alternative to the hierarchical softmax called negative sampling.
•Posted Content
Distributed Representations of Words and Phrases and their Compositionality
TL;DR: In this paper, the Skip-gram model is used to learn high-quality distributed vector representations that capture a large number of precise syntactic and semantic word relationships and improve both the quality of the vectors and the training speed.
•Posted Content
Semi-Supervised Classification with Graph Convolutional Networks
Thomas Kipf,Max Welling +1 more
TL;DR: A scalable approach for semi-supervised learning on graph-structured data that is based on an efficient variant of convolutional neural networks which operate directly on graphs which outperforms related methods by a significant margin.
22.7K
Silhouettes: a graphical aid to the interpretation and validation of cluster analysis
TL;DR: A new graphical display is proposed for partitioning techniques, where each cluster is represented by a so-called silhouette, which is based on the comparison of its tightness and separation, and provides an evaluation of clustering validity.
19K