IEEE Access (Jan 2024)

FPGAA: A Multi-Feature Provenance Graph for the Accurate Alert System

  • Jian Jiao,
  • Siyuan Min,
  • Dongchao Guo,
  • Fang Du,
  • Feng Cheng

DOI
https://doi.org/10.1109/ACCESS.2024.3476680
Journal volume & issue
Vol. 12
pp. 149617 – 149632

Abstract

Read online

The detection and traceability research of massive log information has always been a focal point in Advanced Persistent Threats (APT) studies. Causality relationship technology analyzes attack paths and simplifies graph scale by mapping attack behaviors, but rule-based detection methods often introduce numerous false alarms. To address this issue, this paper proposes a multi-feature provenance graph for the Accurate Alert System (FPGAA). It constructs trace graphs by selecting feature graphs based on the attack types, effectively improving the compression ratio of trace graphs. The FPGAA system utilizes graph neural network technology to efficiently filter out erroneous attack paths generated by false alarm information. We evaluated the system‘s performance using widely recognized classic datasets, including the DARPA TC dataset and the ATLAS dataset, as well as a self-constructed dataset to ensure comprehensiveness and reliability. The results demonstrate that the FPGAA system shows significant improvements in trace graph optimization compared to similar systems, successfully reducing the provenance graph size by over 300 times. Additionally, the FPGAA system effectively overcomes the interference caused by false alarm alerts, successfully filtering out approximately 94% of false alarms. In summary, our system can accurately identify a variety of attack paths, expedite event investigation efficiency through concise contextual alarms, and enhance identification accuracy by increasing features.

Keywords