Sylph: An Unsupervised APT Detection System Based on the Provenance Graph
Traditional detection methods and security defenses are gradually insufficient to cope with evolving attack techniques and strategies, and have coarse detection granularity and high memory overhead. As a result, we propose Sylph, a lightweight unsupervised APT detection method based on a provenance...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2025-07-01
|
| Series: | Information |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2078-2489/16/7/566 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849406745146818560 |
|---|---|
| author | Kaida Jiang Zihan Gao Siyu Zhang Futai Zou |
| author_facet | Kaida Jiang Zihan Gao Siyu Zhang Futai Zou |
| author_sort | Kaida Jiang |
| collection | DOAJ |
| description | Traditional detection methods and security defenses are gradually insufficient to cope with evolving attack techniques and strategies, and have coarse detection granularity and high memory overhead. As a result, we propose Sylph, a lightweight unsupervised APT detection method based on a provenance graph, which not only detects APT attacks but also localizes APT attacks with a fine event granularity and feeds possible attacks back to system detectors to reduce their localization burden. Sylph proposes a whole-process architecture from provenance graph collection to anomaly detection, starting from the system audit logs, and dividing subgraphs based on time slices of the provenance graph it transforms into to reduce memory overhead. Starting from the system audit logs, the provenance graph it transforms into is divided into subgraphs based on time slices, which reduces the memory occupation and improves the detection efficiency at the same time; on the basis of generating the sequence of subgraphs, the full graph embedding of the subgraphs is carried out by using Graph2Vec to obtain their feature vectors, and the anomaly detection based on unsupervised learning is carried out by using an autoencoder, which is capable of detecting new types of attacks that have not yet appeared. After the experimental evaluation, Sylph can realize the APT attack detection with higher accuracy and achieve an accuracy rate. |
| format | Article |
| id | doaj-art-952b4b68601548ceb51936d9f8ea60cc |
| institution | Kabale University |
| issn | 2078-2489 |
| language | English |
| publishDate | 2025-07-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Information |
| spelling | doaj-art-952b4b68601548ceb51936d9f8ea60cc2025-08-20T03:36:18ZengMDPI AGInformation2078-24892025-07-0116756610.3390/info16070566Sylph: An Unsupervised APT Detection System Based on the Provenance GraphKaida Jiang0Zihan Gao1Siyu Zhang2Futai Zou3Network and Information Center, Shanghai Jiao Tong University, Shanghai 200240, ChinaSchool of Computer Science, Shanghai Jiao Tong University, Shanghai 200240, ChinaNetwork and Information Center, Shanghai Jiao Tong University, Shanghai 200240, ChinaSchool of Computer Science, Shanghai Jiao Tong University, Shanghai 200240, ChinaTraditional detection methods and security defenses are gradually insufficient to cope with evolving attack techniques and strategies, and have coarse detection granularity and high memory overhead. As a result, we propose Sylph, a lightweight unsupervised APT detection method based on a provenance graph, which not only detects APT attacks but also localizes APT attacks with a fine event granularity and feeds possible attacks back to system detectors to reduce their localization burden. Sylph proposes a whole-process architecture from provenance graph collection to anomaly detection, starting from the system audit logs, and dividing subgraphs based on time slices of the provenance graph it transforms into to reduce memory overhead. Starting from the system audit logs, the provenance graph it transforms into is divided into subgraphs based on time slices, which reduces the memory occupation and improves the detection efficiency at the same time; on the basis of generating the sequence of subgraphs, the full graph embedding of the subgraphs is carried out by using Graph2Vec to obtain their feature vectors, and the anomaly detection based on unsupervised learning is carried out by using an autoencoder, which is capable of detecting new types of attacks that have not yet appeared. After the experimental evaluation, Sylph can realize the APT attack detection with higher accuracy and achieve an accuracy rate.https://www.mdpi.com/2078-2489/16/7/566APT detectionprovenance graphgraph embedding |
| spellingShingle | Kaida Jiang Zihan Gao Siyu Zhang Futai Zou Sylph: An Unsupervised APT Detection System Based on the Provenance Graph Information APT detection provenance graph graph embedding |
| title | Sylph: An Unsupervised APT Detection System Based on the Provenance Graph |
| title_full | Sylph: An Unsupervised APT Detection System Based on the Provenance Graph |
| title_fullStr | Sylph: An Unsupervised APT Detection System Based on the Provenance Graph |
| title_full_unstemmed | Sylph: An Unsupervised APT Detection System Based on the Provenance Graph |
| title_short | Sylph: An Unsupervised APT Detection System Based on the Provenance Graph |
| title_sort | sylph an unsupervised apt detection system based on the provenance graph |
| topic | APT detection provenance graph graph embedding |
| url | https://www.mdpi.com/2078-2489/16/7/566 |
| work_keys_str_mv | AT kaidajiang sylphanunsupervisedaptdetectionsystembasedontheprovenancegraph AT zihangao sylphanunsupervisedaptdetectionsystembasedontheprovenancegraph AT siyuzhang sylphanunsupervisedaptdetectionsystembasedontheprovenancegraph AT futaizou sylphanunsupervisedaptdetectionsystembasedontheprovenancegraph |