Distributed Temporal Graph Learning with Provenance for APT Detection in Supply Chains
Zhuoran Tan, Christos Anagnostopoulos, Jeremy Singer
TL;DR
The paper tackles APT detection in cyber supply chains, focusing on SCVs where source code may be unavailable and runtime defense is needed. It proposes building dynamic provenance graphs from multi-source data and applying temporal graph learning to detect and reconstruct attack paths in real time. A dataset framework is introduced by replaying real-world exploits across OSS ecosystems and cloud environments, with the UTLParser converting heterogeneous logs into graphs. The approach aims to deliver scalable, real-time detection with continual learning (via EWC) and distributed training, addressing practical deployment challenges in large-scale supply chains.
Abstract
Cyber supply chain, encompassing digital asserts, software, hardware, has become an essential component of modern Information and Communications Technology (ICT) provisioning. However, the growing inter-dependencies have introduced numerous attack vectors, making supply chains a prime target for exploitation. In particular, advanced persistent threats (APTs) frequently leverage supply chain vulnerabilities (SCVs) as entry points, benefiting from their inherent stealth. Current defense strategies primarly focus on prevention through blockchain for integrity assurance or detection using plain-text source code analysis in open-source software (OSS). However, these approaches overlook scenarios where source code is unavailable and fail to address detection and defense during runtime. To bridge this gap, we propose a novel approach that integrates multi-source data, constructs a comprehensive dynamic provenance graph, and detects APT behavior in real time using temporal graph learning. Given the lack of tailored datasets in both industry and academia, we also aim to simulate a custom dataset by replaying real-world supply chain exploits with multi-source monitoring.