Provenance Graph-oriented Intrusion Detection System Based On Heterogeneous Graph Attention Network

With the rapid development of computer networks,Internet security issues have become increasingly prominent.Intrusion detection is an important direction in the field of network security and an important means to deal with various network security issues.When an intrusion occurs,the provenance data can record the relationship between the intrusion process and the tampered file,which is suitable for intrusion detection.Aiming at the problem that the existing provenance-based intrusion detection has insufficient accuracy and efficiency in intrusion detection,this paper improves the heterogeneous graph attention network HAN and proposes a novel IDS-HGAT intrusion detection system.The system is composed of parallel IDS-HGAT provenance collection and preprocessing module,Redis storage module and parallel IDS-HGAT intrusion detection module.Among them,the parallel IDS-HGAT provenance collection and preprocessing module uses multiple provenance collection processes to collect provenance data,and delete irrelevant information according to the characteristics of the provenance data,and construct the provenance graph into an object containing node features,edges and labels;Redis The storage module uses the Stream type to build a message queue to support parallel storage and acquisition of provenance,and by using a specific format to store the graph structure,it greatly reduces the number of reads and writes of the Redis database when accessing provenance;the parallel IDS-HGAT intrusion detection module first Using the provenance training set,I developed an IDS-HGAT model that utilizes a hierarchical attention mechanism.This model considers both the semantic information of the nodes in the provenance graph and the structural information of the provenance graph,which improves the accuracy of intrusion detection based on provenance.Sex.Then,multiple processes are started to read the provenance graph from Redis in parallel,and the model is used for intrusion detection,which improves the detection efficiency of intrusion detection based on provenance.Experimental results show that the detection accuracy of IDS-HGAT intrusion detection system on each data set is close to 100%,and the false detection rate remains below 7.2%,which is overall better than UNICORN intrusion detection system and GAT intrusion detection system.In addition,the time overhead of IDS-HGAT is reduced by about90.2-99.3% compared with UNICORN.