CONTINUUM: Detecting APT Attacks through Spatial-Temporal Graph Neural Networks
Atmane Ayoub Mansour Bahar, Kamel Soaid Ferrahi, Mohamed-Lamine Messai, Hamida Seba, Karima Amrouche
TL;DR
This work tackles the challenge of detecting Advanced Persistent Threats (APTs) by leveraging a Spatial-Temporal Graph Neural Network Autoencoder operating on provenance graphs. CONTINUUM integrates spatial attention over graph neighborhoods with temporal memory to capture multi-stage attack evolution, trained exclusively on benign data to enable robust anomaly detection. To address privacy and scalability, it is deployed in a federated learning setting with Multi-key Homomorphic Encryption, preventing leakage of model weights during collaboration. Extensive experiments across diverse provenance datasets demonstrate competitive detection performance and significant improvements in efficiency, highlighting the practicality of spatio-temporal graph analysis and encrypted FL for defending against sophisticated APT campaigns.
Abstract
Advanced Persistent Threats (APTs) represent a significant challenge in cybersecurity due to their sophisticated and stealthy nature. Traditional Intrusion Detection Systems (IDS) often fall short in detecting these multi-stage attacks. Recently, Graph Neural Networks (GNNs) have been employed to enhance IDS capabilities by analyzing the complex relationships within networked data. However, existing GNN-based solutions are hampered by high false positive rates and substantial resource consumption. In this paper, we present a novel IDS designed to detect APTs using a Spatio-Temporal Graph Neural Network Autoencoder. Our approach leverages spatial information to understand the interactions between entities within a graph and temporal information to capture the evolution of the graph over time. This dual perspective is crucial for identifying the sequential stages of APTs. Furthermore, to address privacy and scalability concerns, we deploy our architecture in a federated learning environment. This setup ensures that local data remains on-premise while encrypted model-weights are shared and aggregated using homomorphic encryption, maintaining data privacy and security. Our evaluation shows that this system effectively detects APTs with lower false positive rates and optimized resource usage compared to existing methods, highlighting the potential of spatio-temporal analysis and federated learning in enhancing cybersecurity defenses.