RPG-AE: Neuro-Symbolic Graph Autoencoders with Rare Pattern Mining for Provenance-Based Anomaly Detection
Asif Tauhid, Sidahmed Benabderrahmane, Mohamad Altrabulsi, Ahamed Foisal, Talal Rahwan
TL;DR
RPG-AE tackles provenance-based anomaly detection for Advanced Persistent Threats by fusing a Graph Autoencoder with rare-pattern mining. It constructs a process-level k-NN graph to learn normal relational structure and uses an Apriori-based module to identify rare co-occurrence patterns, boosting GAE scores with a degree-based rarity signal. Empirical results on DARPA Transparent Computing data show consistent improvements in anomaly ranking over baselines, achieving competitive performance with ensemble methods while offering interpretability through mined rare patterns. The framework demonstrates the value of combining graph representation learning with symbolic pattern mining to enhance effectiveness and interpretability in provenance-based security analytics.
Abstract
Advanced Persistent Threats (APTs) are sophisticated, long-term cyberattacks that are difficult to detect because they operate stealthily and often blend into normal system behavior. This paper presents a neuro-symbolic anomaly detection framework that combines a Graph Autoencoder (GAE) with rare pattern mining to identify APT-like activities in system-level provenance data. Our approach first constructs a process behavioral graph using k-Nearest Neighbors based on feature similarity, then learns normal relational structure using a Graph Autoencoder. Anomaly candidates are identified through deviations between observed and reconstructed graph structure. To further improve detection, we integrate an rare pattern mining module that discovers infrequent behavioral co-occurrences and uses them to boost anomaly scores for processes exhibiting rare signatures. We evaluate the proposed method on the DARPA Transparent Computing datasets and show that rare-pattern boosting yields substantial gains in anomaly ranking quality over the baseline GAE. Compared with existing unsupervised approaches on the same benchmark, our single unified model consistently outperforms individual context-based detectors and achieves performance competitive with ensemble aggregation methods that require multiple separate detectors. These results highlight the value of coupling graph-based representation learning with classical pattern mining to improve both effectiveness and interpretability in provenance-based security anomaly detection.
