Attentional Heterogeneous Graph Neural Network: Application to Program Reidentification
This addresses a critical security issue for IT/OT systems by detecting disguised malware, though it is an incremental improvement using graph neural networks on a specific domain.
The paper tackles the program reidentification problem in IT/OT systems, where malware disguises itself using legitimate program IDs, by proposing DeepHGNN, an attentional heterogeneous graph neural network model that verifies program identity based on system behaviors, achieving effectiveness across multiple metrics and robustness to dynamic changes like version upgrades.
Program or process is an integral part of almost every IT/OT system. Can we trust the identity/ID (e.g., executable name) of the program? To avoid detection, malware may disguise itself using the ID of a legitimate program, and a system tool (e.g., PowerShell) used by the attackers may have the fake ID of another common software, which is less sensitive. However, existing intrusion detection techniques often overlook this critical program reidentification problem (i.e., checking the program's identity). In this paper, we propose an attentional heterogeneous graph neural network model (DeepHGNN) to verify the program's identity based on its system behaviors. The key idea is to leverage the representation learning of the heterogeneous program behavior graph to guide the reidentification process. We formulate the program reidentification as a graph classification problem and develop an effective attentional heterogeneous graph embedding algorithm to solve it. Extensive experiments --- using real-world enterprise monitoring data and real attacks --- demonstrate the effectiveness of DeepHGNN across multiple popular metrics and the robustness to the normal dynamic changes like program version upgrades.