Provenance graph-oriented host intrusion detection method and system, and storage medium

Assignee

• Huazhong University of Science and Technology · CN

Inventors

• Yulai Xie · Beijing, CN
• Shuangbiao Dai · Hubei, CN
• Dan Feng · Los Altos, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F21/55
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

The present invention discloses a provenance graph-oriented host intrusion detection method and system, and a storage medium, which relates to the field of cyber security. The method includes: S1, acquiring provenance data of a host to be tested, to construct a provenance graph representing user behaviors; S2, mapping nodes in the provenance graph to roles, constructing a node feature matrix composed of feature vectors which can be used to represent attribute features, structural features, and inter-node interactive relationship of the nodes in the provenance graph, and mapping nodes having similar feature vectors to the same role; S3, performing an attention-guided attribute temporal random walk by comprehensively considering attributes of the nodes in the provenance graph, the temporal relationship between edges, and an attention parameter between different roles; and S4, converting the acquired attribute temporal random walk sequence into an embedding vector to extract a feature of the provenance graph, and performing intrusion anomaly detection. The present invention can perform deep representation learning on provenance data, reduce the workload of training a detection model, …