• Corpus ID: 54484775

Deep Program Reidentification: A Graph Neural Network Solution

  title={Deep Program Reidentification: A Graph Neural Network Solution},
  author={Shen Wang and Zhengzhang Chen and Ding Li and Lu An Tang and Jingchao Ni and Zhichun Li and Junghwan John Rhee and Haifeng Chen and Philip S. Yu},
Program or process is an integral part of almost every IT/OT system. Can we trust the identity/ID (e.g., executable name) of the program? To avoid detection, malware may disguise itself using the ID of a legitimate program, and a system tool (e.g., PowerShell) used by the attackers may have the fake ID of another common software, which is less sensitive. However, existing intrusion detection techniques often overlook this critical program reidentification problem (i.e., checking the program's… 

Figures and Tables from this paper


Behavior-based Community Detection: Application to Host Assessment In Enterprise Information Networks
A novel community detection framework is proposed to identify behavior-based host communities in enterprise information networks, purely based on large-scale heterogeneous event data, and an efficient method for assessing host's anomaly level by leveraging the detected host communities is proposed.
SAQL: A Stream-based Query System for Real-Time Abnormal System Behavior Detection
A novel stream-based query system that takes as input, a real-time event feed aggregated from multiple hosts in an enterprise, and provides an anomaly query engine that queries the event feed to identify abnormal behaviors based on the specified anomalies.
NodeMerge: Template Based Efficient Data Reduction For Big-Data Causality Analysis
Today's enterprises are exposed to sophisticated attacks, such as Advanced Persistent Threats~(APT) attacks, which usually consist of stealthy multiple steps. To counter these attacks, enterprises
Graph Attention Networks
We present graph attention networks (GATs), novel neural network architectures that operate on graph-structured data, leveraging masked self-attentional layers to address the shortcomings of prior
Anomalous system call detection
It is shown that the analysis of system call arguments and the use of Bayesian classification improves detection accuracy and resilience against evasion attempts and a tool is described based on this approach.
Semantics-Aware Android Malware Classification Using Weighted Contextual API Dependency Graphs
A novel semantic-based approach that classifies Android malware via dependency graphs that is capable of detecting zero-day malware with a low false negative rate and an acceptable false positive rate while tolerating minor implementation differences is proposed.
Graph-based anomaly detection
This paper introduces two techniques for graph-based anomaly detection, and introduces a new method for calculating the regularity of a graph, with applications to anomaly detection.
FAROS: Illuminating In-memory Injection Attacks via Provenance-Based Whole-System Dynamic Information Flow Tracking
FAROS^1 a reverse engineering tool for Windows malware analysis based on dynamic information flow tracking (DIFT), which can flag stealthy in-memory-only malware injection attacks by leveraging the synergy of whole-system taint analysis.
Efficient Discovery of Abnormal Event Sequences in Enterprise Security Systems
This work forms a novel problem in intrusion detection - suspicious event sequence discovery, and proposes GID, an efficient graph-based intrusion detection technique that can identify abnormal event sequences from massive heterogeneous process traces with high accuracy.
Inductive Representation Learning on Large Graphs
GraphSAGE is presented, a general, inductive framework that leverages node feature information (e.g., text attributes) to efficiently generate node embeddings for previously unseen data and outperforms strong baselines on three inductive node-classification benchmarks.