Sylph: An Unsupervised APT Detection System Based on the Provenance Graph

Sylph: An Unsupervised APT Detection System Based on the Provenance Graph

Traditional detection methods and security defenses are gradually insufficient to cope with evolving attack techniques and strategies, and have coarse detection granularity and high memory overhead. As a result, we propose Sylph, a lightweight unsupervised APT detection method based on a provenance...

Full description

Saved in:
Bibliographic Details
Main Authors: Kaida Jiang, Zihan Gao, Siyu Zhang, Futai Zou
Format: Article
Language:English
Published: MDPI AG 2025-07-01
Series:Information
Subjects:
APT detection
provenance graph
graph embedding
Online Access:https://www.mdpi.com/2078-2489/16/7/566
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Traditional detection methods and security defenses are gradually insufficient to cope with evolving attack techniques and strategies, and have coarse detection granularity and high memory overhead. As a result, we propose Sylph, a lightweight unsupervised APT detection method based on a provenance graph, which not only detects APT attacks but also localizes APT attacks with a fine event granularity and feeds possible attacks back to system detectors to reduce their localization burden. Sylph proposes a whole-process architecture from provenance graph collection to anomaly detection, starting from the system audit logs, and dividing subgraphs based on time slices of the provenance graph it transforms into to reduce memory overhead. Starting from the system audit logs, the provenance graph it transforms into is divided into subgraphs based on time slices, which reduces the memory occupation and improves the detection efficiency at the same time; on the basis of generating the sequence of subgraphs, the full graph embedding of the subgraphs is carried out by using Graph2Vec to obtain their feature vectors, and the anomaly detection based on unsupervised learning is carried out by using an autoencoder, which is capable of detecting new types of attacks that have not yet appeared. After the experimental evaluation, Sylph can realize the APT attack detection with higher accuracy and achieve an accuracy rate.
ISSN:2078-2489

Similar Items