Multi-view adversarial attack defending method for host intrusion detection
Host-based intrusion detection (HID) aims to identify attack behaviors through the analysis of host logs. In recent years, to address increasingly sophisticated host attacks, provenance graphs were leveraged to parse kernel audit logs, and graph neural network (GNN) were employed to train detection...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | zho |
| Published: |
Editorial Department of Journal on Communications
2025-01-01
|
| Series: | Tongxin xuebao |
| Subjects: | |
| Online Access: | http://www.joconline.com.cn/zh/article/doi/10.11959/j.issn.1000-436x.2025140/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849227140023713792 |
|---|---|
| author | WANG Fei QIAN Kehan LYU Mingqi ZHU Tiantian CHEN Honglong |
| author_facet | WANG Fei QIAN Kehan LYU Mingqi ZHU Tiantian CHEN Honglong |
| author_sort | WANG Fei |
| collection | DOAJ |
| description | Host-based intrusion detection (HID) aims to identify attack behaviors through the analysis of host logs. In recent years, to address increasingly sophisticated host attacks, provenance graphs were leveraged to parse kernel audit logs, and graph neural network (GNN) were employed to train detection models, significantly enhancing detection performance. However, the inherent limitations of GNNs render these models vulnerable to adversarial evasion attacks. To mitigate this vulnerability, a multi-view adversarial attack defense method for host-based intrusion detection was proposed. The fundamental principle of this method was predicated upon three tenets. Firstly, structural and behavioural views were constructed through the fusion of multi-dimensional features, thereby circumventing the limitations imposed by a single perspective. Secondly, the transferability of adversarial samples between models was quantified, with complementary pairs of models exhibiting minimal migration subsequently being filtered. Thirdly, a hierarchical voting mechanism was conceptualized to integrate the decision outcomes of heterogeneous models, enhancing the system's robustness. The efficacy of the proposed method was evaluated using authentic host kernel log datasets. The experimental results demonstrate that the method exhibits superior performance compared to existing adversarial attack defense methods. Specifically, a malicious node recall rate exceeding 80% is achieved under typical adversarial attacks, representing a 23% increase over existing single-model defense methods. Additionally, the false alarm rate is maintained below 10%, substantiating the efficacy of the migration analysis-based fusion strategy for robustness enhancement |
| format | Article |
| id | doaj-art-3cb50e517bba4f58aaf32c7ca06442f7 |
| institution | Kabale University |
| issn | 1000-436X |
| language | zho |
| publishDate | 2025-01-01 |
| publisher | Editorial Department of Journal on Communications |
| record_format | Article |
| series | Tongxin xuebao |
| spelling | doaj-art-3cb50e517bba4f58aaf32c7ca06442f72025-08-23T19:00:10ZzhoEditorial Department of Journal on CommunicationsTongxin xuebao1000-436X2025-01-01113123345491Multi-view adversarial attack defending method for host intrusion detectionWANG FeiQIAN KehanLYU MingqiZHU TiantianCHEN HonglongHost-based intrusion detection (HID) aims to identify attack behaviors through the analysis of host logs. In recent years, to address increasingly sophisticated host attacks, provenance graphs were leveraged to parse kernel audit logs, and graph neural network (GNN) were employed to train detection models, significantly enhancing detection performance. However, the inherent limitations of GNNs render these models vulnerable to adversarial evasion attacks. To mitigate this vulnerability, a multi-view adversarial attack defense method for host-based intrusion detection was proposed. The fundamental principle of this method was predicated upon three tenets. Firstly, structural and behavioural views were constructed through the fusion of multi-dimensional features, thereby circumventing the limitations imposed by a single perspective. Secondly, the transferability of adversarial samples between models was quantified, with complementary pairs of models exhibiting minimal migration subsequently being filtered. Thirdly, a hierarchical voting mechanism was conceptualized to integrate the decision outcomes of heterogeneous models, enhancing the system's robustness. The efficacy of the proposed method was evaluated using authentic host kernel log datasets. The experimental results demonstrate that the method exhibits superior performance compared to existing adversarial attack defense methods. Specifically, a malicious node recall rate exceeding 80% is achieved under typical adversarial attacks, representing a 23% increase over existing single-model defense methods. Additionally, the false alarm rate is maintained below 10%, substantiating the efficacy of the migration analysis-based fusion strategy for robustness enhancementhttp://www.joconline.com.cn/zh/article/doi/10.11959/j.issn.1000-436x.2025140/adversarial attackhost intrusion detectionprovenance graphmulti-model ensemble |
| spellingShingle | WANG Fei QIAN Kehan LYU Mingqi ZHU Tiantian CHEN Honglong Multi-view adversarial attack defending method for host intrusion detection Tongxin xuebao adversarial attack host intrusion detection provenance graph multi-model ensemble |
| title | Multi-view adversarial attack defending method for host intrusion detection |
| title_full | Multi-view adversarial attack defending method for host intrusion detection |
| title_fullStr | Multi-view adversarial attack defending method for host intrusion detection |
| title_full_unstemmed | Multi-view adversarial attack defending method for host intrusion detection |
| title_short | Multi-view adversarial attack defending method for host intrusion detection |
| title_sort | multi view adversarial attack defending method for host intrusion detection |
| topic | adversarial attack host intrusion detection provenance graph multi-model ensemble |
| url | http://www.joconline.com.cn/zh/article/doi/10.11959/j.issn.1000-436x.2025140/ |
| work_keys_str_mv | AT wangfei multiviewadversarialattackdefendingmethodforhostintrusiondetection AT qiankehan multiviewadversarialattackdefendingmethodforhostintrusiondetection AT lyumingqi multiviewadversarialattackdefendingmethodforhostintrusiondetection AT zhutiantian multiviewadversarialattackdefendingmethodforhostintrusiondetection AT chenhonglong multiviewadversarialattackdefendingmethodforhostintrusiondetection |