Publication Date: 5/4/2019
Event: SIAM International Conference on Data Mining (SDM 2019)
Reference: pp. 693-701, 2019
Authors: Shen Wang, NEC Laboratories America, Inc.; University of Illinois at Chicago; Zhengzhang Chen, NEC Laboratories America, Inc.; Ding Li, NEC Laboratories America, Inc.; Lu-An Tang, NEC Laboratories America, Inc.; Jingchao Ni, NEC Laboratories America, Inc.; Zhichun Li, NEC Laboratories America, Inc.; Junghwan Rhee, NEC Laboratories America, Inc.; Haifeng Chen, NEC Laboratories America, Inc.; Phillip S. Yu, University of Illinois at Chicago
Abstract: Program or process is an integral part of almost every IT/OT system. Can we trust the identity/ID (e.g., executable name) of the program? To avoid detection, malware may disguise itself using the ID of a legitimate program, and a system tool (e.g., PowerShell) used by the attackers may have the fake ID of another common software, which is less sensitive. However, existing intrusion detection techniques often overlook this critical program reidentification problem (i.e., checking the program’s identity). In this paper, we propose an attentional heterogeneous graph neural network model (DeepHGNN) to verify the program’s identity based on its system behaviors. The key idea is to leverage the representation learning of the heterogeneous program behavior graph to guide the reidentification process. We formulate the program reidentification as a graph classification problem and develop an effective attentional heterogeneous graph embedding algorithm to solve it. Extensive experiments using real-world enterprise monitoring data and real attacks demonstrate the effectiveness of DeepHGNN across multiple popular metrics and the robustness to the normal dynamic changes like program version upgrades.
Publication Link: https://epubs.siam.org/doi/10.1137/1.9781611975673.78