Research And Implementation Of Host Intrusion Detection Based On Heterogeneous Graph Neural Network

With the continuous development of the Internet,computer equipment has gradually penetrated into every aspect of people’s life.At the same time,cyber attacks on computer equipment are causing great harm to individuals,businesses and society.Therefore,it is very important to build a host intrusion detection system.Recently,the host intrusion detection method based on provenance graph has gradually become the mainstream.It has made a lot of progress in intrusion detection by modeling the interaction between system entities(such as processes,files,etc.)in the host,but still has the problem of low detection accuracy.This paper observed that the reason for the low detection rate is that the existing researches mostly detect anomalies on the provenance graph based on expert experience,but this fails to capture the nonlinearity and potential hierarchical interaction between system entities on the provenance graph.According to the two detection objectives of the host intrusion detection system,two new detection algorithms are designed to improve the detection accuracy,and the host intrusion detection system is designed and implemented.The main contents of this paper are as follows:(1)The target of host intrusion detection system is malicious process.In this paper,through a close analysis of the anomaly process and normal process,we propose an anomaly process detection model based on heterogeneous graph autoencoder HetGraphAE,which converts the problem of anomaly process detection to anomaly node detection problem,and joint heterogeneous graph neural network and the autoencoder to achieve the high accurate rate of anomaly process detection(2)In view of the emerging advanced persistent threats,the target of host intrusion detection system is anomaly provenance graph.Based on the analysis of host behavior,this paper proposes an anomaly provenance graph detection model OC-DHetGNN based on the one-class heterogeneous graph neural network.The detection model transforms the anomaly provenance graph detection problem into anomaly heterogeneous graph detection problem.The high accuracy of anomaly provenance graph detection is realized from the global and local perspectives of integrated heterogeneous graphs.(3)A host intrusion detection system is designed and implemented.The kernel of the system is the two detection models proposed in this paper,which can detect anomaly processes and anomaly provenance graphs.This paper has carried on the demand analysis and system design(divided into outline design and detailed design),and finally through the black box test to verify the integrity of the system function.