MAGIC: Detecting Advanced Persistent Threats via Masked Graph Representation Learning

Authors: 

Zian Jia and Yun Xiong, Shanghai Key Laboratory of Data Science, School of Computer Science, Fudan University, China; Yuhong Nan, School of Software Engineering, Sun Yat-sen University, China; Yao Zhang, Shanghai Key Laboratory of Data Science, School of Computer Science, Fudan University, China; Jinjing Zhao, National Key Laboratory of Science and Technology on Information System Security, China; Mi Wen, Shanghai University of Electric Power, China

Abstract: 

Advance Persistent Threats (APTs), adopted by most delicate attackers, are becoming increasing common and pose great threat to various enterprises and institutions. Data provenance analysis on provenance graphs has emerged as a common approach in APT detection. However, previous works have exhibited several shortcomings: (1) requiring attack-containing data and a priori knowledge of APTs, (2) failing in extracting the rich contextual information buried within provenance graphs and (3) becoming impracticable due to their prohibitive computation overhead and memory consumption.

In this paper, we introduce MAGIC, a novel and flexible self-supervised APT detection approach capable of performing multi-granularity detection under different level of supervision. MAGIC leverages masked graph representation learning to model benign system entities and behaviors, performing efficient deep feature extraction and structure abstraction on provenance graphs. By ferreting out anomalous system behaviors via outlier detection methods, MAGIC is able to perform both system entity level and batched log level APT detection. MAGIC is specially designed to handle concept drift with a model adaption mechanism and successfully applies to universal conditions and detection scenarios. We evaluate MAGIC on three widely-used datasets, including both real-world and simulated attacks. Evaluation results indicate that MAGIC achieves promising detection results in all scenarios and shows enormous advantage over state-of-the-art APT detection approaches in performance overhead.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {294545,
author = {Zian Jia and Yun Xiong and Yuhong Nan and Yao Zhang and Jinjing Zhao and Mi Wen},
title = {{MAGIC}: Detecting Advanced Persistent Threats via Masked Graph Representation Learning},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {5197--5214},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/jia-zian},
publisher = {USENIX Association},
month = aug
}