Security and Privacy in Communication Networks. 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6–9, 2021, Proceedings, Part I

Research Article

DeepHunter: A Graph Neural Network Based Approach for Robust Cyber Threat Hunting

Download
1249 downloads
  • @INPROCEEDINGS{10.1007/978-3-030-90019-9_1,
        author={Renzheng Wei and Lijun Cai and Lixin Zhao and Aimin Yu and Dan Meng},
        title={DeepHunter: A Graph Neural Network Based Approach for Robust Cyber Threat Hunting},
        proceedings={Security and Privacy in Communication Networks. 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6--9, 2021, Proceedings, Part I},
        proceedings_a={SECURECOMM},
        year={2021},
        month={11},
        keywords={Cyber threat hunting Robustness Provenance analysis Graph neural network Graph pattern matching},
        doi={10.1007/978-3-030-90019-9_1}
    }
    
  • Renzheng Wei
    Lijun Cai
    Lixin Zhao
    Aimin Yu
    Dan Meng
    Year: 2021
    DeepHunter: A Graph Neural Network Based Approach for Robust Cyber Threat Hunting
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-030-90019-9_1
Renzheng Wei1, Lijun Cai1, Lixin Zhao1, Aimin Yu1, Dan Meng1
  • 1: Chinese Academy of Sciences

Abstract

Cyber Threat hunting is a proactive search for known attack behaviors in the organizational information system. It is an important component to mitigate advanced persistent threats (APTs). However, the attack behaviors recorded in provenance data may not be completely consistent with the known attack behaviors. In this paper, we propose DeepHunter, a graph neural network (GNN) based graph pattern matching approach that can match provenance data against known attack behaviors in a robust way. Specifically, we design a graph neural network architecture with two novel networks: that could incorporate Indicators of Compromise (IOCs) information, and that could capture the relationships between IOCs. To evaluate DeepHunter, we choose five real and synthetic APT attack scenarios. Results show that DeepHunter can hunt all attack behaviors, and the accuracy and robustness of DeepHunter outperform the state-of-the-art method, Poirot.