TBDetector:Transformer-Based Detector for Advanced Persistent Threats with Provenance Graph
This addresses the challenge of detecting covert, slow-acting APT attacks for cybersecurity systems, though it appears incremental as it builds on existing transformer and provenance graph techniques.
The authors tackled the problem of detecting Advanced Persistent Threats (APTs) by proposing TBDetector, a transformer-based method that uses provenance graphs to analyze long-term system states, and it showed better performance compared to state-of-the-art methods on five public datasets.
APT detection is difficult to detect due to the long-term latency, covert and slow multistage attack patterns of Advanced Persistent Threat (APT). To tackle these issues, we propose TBDetector, a transformer-based advanced persistent threat detection method for APT attack detection. Considering that provenance graphs provide rich historical information and have the powerful attacks historic correlation ability to identify anomalous activities, TBDetector employs provenance analysis for APT detection, which summarizes long-running system execution with space efficiency and utilizes transformer with self-attention based encoder-decoder to extract long-term contextual features of system states to detect slow-acting attacks. Furthermore, we further introduce anomaly scores to investigate the anomaly of different system states, where each state is calculated with an anomaly score corresponding to its similarity score and isolation score. To evaluate the effectiveness of the proposed method, we have conducted experiments on five public datasets, i.e., streamspot, cadets, shellshock, clearscope, and wget_baseline. Experimental results and comparisons with state-of-the-art methods have exhibited better performance of our proposed method.