Research Article
DeepHunter: A Graph Neural Network Based Approach for Robust Cyber Threat Hunting
@INPROCEEDINGS{10.1007/978-3-030-90019-9_1, author={Renzheng Wei and Lijun Cai and Lixin Zhao and Aimin Yu and Dan Meng}, title={DeepHunter: A Graph Neural Network Based Approach for Robust Cyber Threat Hunting}, proceedings={Security and Privacy in Communication Networks. 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6--9, 2021, Proceedings, Part I}, proceedings_a={SECURECOMM}, year={2021}, month={11}, keywords={Cyber threat hunting Robustness Provenance analysis Graph neural network Graph pattern matching}, doi={10.1007/978-3-030-90019-9_1} }- Renzheng Wei
Lijun Cai
Lixin Zhao
Aimin Yu
Dan Meng
Year: 2021
DeepHunter: A Graph Neural Network Based Approach for Robust Cyber Threat Hunting
SECURECOMM
Springer
DOI: 10.1007/978-3-030-90019-9_1
Abstract
Cyber Threat hunting is a proactive search for known attack behaviors in the organizational information system. It is an important component to mitigate advanced persistent threats (APTs). However, the attack behaviors recorded in provenance data may not be completely consistent with the known attack behaviors. In this paper, we propose DeepHunter, a graph neural network (GNN) based graph pattern matching approach that can match provenance data against known attack behaviors in a robust way. Specifically, we design a graph neural network architecture with two novel networks: that could incorporate Indicators of Compromise (IOCs) information, and that could capture the relationships between IOCs. To evaluate DeepHunter, we choose five real and synthetic APT attack scenarios. Results show that DeepHunter can hunt all attack behaviors, and the accuracy and robustness of DeepHunter outperform the state-of-the-art method, Poirot.