APT Detection via Hypergraph Attention Network with Community-Based Behavioral Mining
Advanced Persistent Threats (APTs) challenge cybersecurity due to their stealthy, multi-stage nature. For the provenance graph based on fine-grained kernel logs, existing methods have difficulty distinguishing behavior boundaries and handling complex multi-entity dependencies, which exhibit high fal...
Saved in:
| Main Authors: | , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2025-05-01
|
| Series: | Applied Sciences |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2076-3417/15/11/5872 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849721914291912704 |
|---|---|
| author | Qijie Song Tieming Chen Tiantian Zhu Mingqi Lv Xuebo Qiu Zhiling Zhu |
| author_facet | Qijie Song Tieming Chen Tiantian Zhu Mingqi Lv Xuebo Qiu Zhiling Zhu |
| author_sort | Qijie Song |
| collection | DOAJ |
| description | Advanced Persistent Threats (APTs) challenge cybersecurity due to their stealthy, multi-stage nature. For the provenance graph based on fine-grained kernel logs, existing methods have difficulty distinguishing behavior boundaries and handling complex multi-entity dependencies, which exhibit high false positives in dynamic environments. To address this, we propose a Hypergraph Attention Network framework for APT detection. First, we employ anomaly node detection on provenance graphs constructed from kernel logs to select seed nodes, which serve as starting points for discovering overlapping behavioral communities via node aggregation. These communities are then encoded as hyperedges to construct a hypergraph that captures high-order interactions. By integrating hypergraph structural semantics with nodes and hyperedge dual attention mechanisms, our framework achieves robust APT detection by modeling complex behavioral dependencies. Experiments on DARPA and Unicorn show superior performance: 97.73% accuracy, 98.35% F1-score, and a 0.12% FPR. By bridging hypergraph theory and adaptive attention, the framework effectively models complex attack semantics, offering a robust solution for real-time APT detection. |
| format | Article |
| id | doaj-art-dc8221cf0a5b4a839a0cf5535da92183 |
| institution | DOAJ |
| issn | 2076-3417 |
| language | English |
| publishDate | 2025-05-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Applied Sciences |
| spelling | doaj-art-dc8221cf0a5b4a839a0cf5535da921832025-08-20T03:11:30ZengMDPI AGApplied Sciences2076-34172025-05-011511587210.3390/app15115872APT Detection via Hypergraph Attention Network with Community-Based Behavioral MiningQijie Song0Tieming Chen1Tiantian Zhu2Mingqi Lv3Xuebo Qiu4Zhiling Zhu5College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou 310014, ChinaCollege of Computer Science and Technology, Zhejiang University of Technology, Hangzhou 310014, ChinaCollege of Computer Science and Technology, Zhejiang University of Technology, Hangzhou 310014, ChinaCollege of Computer Science and Technology, Zhejiang University of Technology, Hangzhou 310014, ChinaCollege of Computer Science and Technology, Zhejiang University of Technology, Hangzhou 310014, ChinaCollege of Computer Science and Technology, Zhejiang University of Technology, Hangzhou 310014, ChinaAdvanced Persistent Threats (APTs) challenge cybersecurity due to their stealthy, multi-stage nature. For the provenance graph based on fine-grained kernel logs, existing methods have difficulty distinguishing behavior boundaries and handling complex multi-entity dependencies, which exhibit high false positives in dynamic environments. To address this, we propose a Hypergraph Attention Network framework for APT detection. First, we employ anomaly node detection on provenance graphs constructed from kernel logs to select seed nodes, which serve as starting points for discovering overlapping behavioral communities via node aggregation. These communities are then encoded as hyperedges to construct a hypergraph that captures high-order interactions. By integrating hypergraph structural semantics with nodes and hyperedge dual attention mechanisms, our framework achieves robust APT detection by modeling complex behavioral dependencies. Experiments on DARPA and Unicorn show superior performance: 97.73% accuracy, 98.35% F1-score, and a 0.12% FPR. By bridging hypergraph theory and adaptive attention, the framework effectively models complex attack semantics, offering a robust solution for real-time APT detection.https://www.mdpi.com/2076-3417/15/11/5872seed nodeshypergraphHyperGAToverlapping communityAPT |
| spellingShingle | Qijie Song Tieming Chen Tiantian Zhu Mingqi Lv Xuebo Qiu Zhiling Zhu APT Detection via Hypergraph Attention Network with Community-Based Behavioral Mining Applied Sciences seed nodes hypergraph HyperGAT overlapping community APT |
| title | APT Detection via Hypergraph Attention Network with Community-Based Behavioral Mining |
| title_full | APT Detection via Hypergraph Attention Network with Community-Based Behavioral Mining |
| title_fullStr | APT Detection via Hypergraph Attention Network with Community-Based Behavioral Mining |
| title_full_unstemmed | APT Detection via Hypergraph Attention Network with Community-Based Behavioral Mining |
| title_short | APT Detection via Hypergraph Attention Network with Community-Based Behavioral Mining |
| title_sort | apt detection via hypergraph attention network with community based behavioral mining |
| topic | seed nodes hypergraph HyperGAT overlapping community APT |
| url | https://www.mdpi.com/2076-3417/15/11/5872 |
| work_keys_str_mv | AT qijiesong aptdetectionviahypergraphattentionnetworkwithcommunitybasedbehavioralmining AT tiemingchen aptdetectionviahypergraphattentionnetworkwithcommunitybasedbehavioralmining AT tiantianzhu aptdetectionviahypergraphattentionnetworkwithcommunitybasedbehavioralmining AT mingqilv aptdetectionviahypergraphattentionnetworkwithcommunitybasedbehavioralmining AT xueboqiu aptdetectionviahypergraphattentionnetworkwithcommunitybasedbehavioralmining AT zhilingzhu aptdetectionviahypergraphattentionnetworkwithcommunitybasedbehavioralmining |