@inproceedings{2248c670f91f48208dcc73f3103ff06b,
title = "ProvG-Searcher: A Graph Representation Learning Approach for Efficient Provenance Graph Search",
abstract = "We present ProvG-Searcher, a novel approach for detecting known APT behaviors within system security logs. Our approach leverages provenance graphs, a comprehensive graph representation of event logs, to capture and depict data provenance relations by mapping system entities as nodes and their interactions as edges. We formulate the task of searching provenance graphs as a subgraph matching problem and employ a graph representation learning method. The central component of our search methodology involves embedding of subgraphs in a vector space where subgraph relationships can be directly evaluated. We achieve this through the use of order embeddings that simplify subgraph matching to straightforward comparisons between a query and precomputed subgraph representations. To address challenges posed by the size and complexity of provenance graphs, we propose a graph partitioning scheme and a behavior-preserving graph reduction method. Overall, our technique offers significant computational efficiency, allowing most of the search computation to be performed offline while incorporating a lightweight comparison step during query execution. Experimental results on standard datasets demonstrate that ProvG-Searcher achieves superior performance, with an accuracy exceeding 99% in detecting query behaviors and a false positive rate of approximately 0.02%, outperforming other approaches.",
keywords = "APT behaviors, graph entailment, graph neural networks, graph reduction, order embeddings, provenance graph, security logs, subgraph matching, threat hunting",
author = "Enes Altinisik and Fatih Deniz and Sencar, {H{\"u}srev Taha}",
note = "Publisher Copyright: {\textcopyright} 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM.; 30th ACM SIGSAC Conference on Computer and Communications Security, CCS 2023 ; Conference date: 26-11-2023 Through 30-11-2023",
year = "2023",
month = nov,
day = "15",
doi = "10.1145/3576915.3623187",
language = "English",
series = "CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security",
publisher = "Association for Computing Machinery, Inc",
pages = "2247--2261",
booktitle = "CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security",
}