Heterogeneous Graph Matching Networks for Unknown Malware Detection

Wang, Shen; Chen, Zhengzhang; Yu, Xiao; Ding, Li; Ni, Jingchao; Tang, Lu-An; Gui, Jiaping; Li, Zhichun; Chen, Haifeng; Yu, Philip S.

doi:10.24963/ijcai.2019/522

Cited by 62 publications

(41 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Extensive literature exists on applying embedding techniques for other log analysis tasks. Such tasks include anomaly-based IDS [22], [25], [33], [52], [60], malware identification [18], [77], [78] and cyberattack evolution understanding [72]. Much prior work uses machine learning models such as neural networks, word embedding, and n-grams to embed logs into vectors.…”

Section: Related Workmentioning

confidence: 99%

WATSON: Abstracting Behaviors from Audit Logs via Aggregation of Contextual Semantics

Zeng¹,

Chua

Chen³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Endpoint monitoring solutions are widely deployed in today's enterprise environments to support advanced attack detection and investigation. These monitors continuously record system-level activities as audit logs and provide deep visibility into security incidents. Unfortunately, to recognize behaviors of interest and detect potential threats, cyber analysts face a semantic gap between low-level audit events and high-level system behaviors. To bridge this gap, existing work largely matches streams of audit logs against a knowledge base of rules that describe behaviors. However, specifying such rules heavily relies on expert knowledge. In this paper, we present WATSON, an automated approach to abstracting behaviors by inferring and aggregating the semantics of audit events. WATSON uncovers the semantics of events through their usage context in audit logs. By extracting behaviors as connected system operations, WATSON then combines event semantics as the representation of behaviors. To reduce analysis workload, WATSON further clusters semantically similar behaviors and distinguishes the representatives for analyst investigation. In our evaluation against both benign and malicious behaviors, WATSON exhibits high accuracy for behavior abstraction. Moreover, WATSON can reduce analysis workload by two orders of magnitude for attack investigation.

show abstract

Section: Related Workmentioning

confidence: 99%

WATSON: Abstracting Behaviors from Audit Logs via Aggregation of Contextual Semantics

Zeng¹,

Chua

Chen³

et al. 2021

Proceedings 2021 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…There are three main categories of deep graph similarity learning methods (see Fig. 1a): (1) graph embedding based methods, which apply graph embedding techniques to obtain node-level or graph-level representations and further use the representations for similarity learning (Tixier et al 2019;Nikolentzos et al 2017;Narayanan et al 2017;Atamna et al 2019;Wu et al 2018;Wang et al 2019a;Xu et al 2017;Liu et al 2019b); (2) graph neural network (GNN) based models, which are based on using GNNs for similarity learning, including GNN-CNNs (Bai et al 2018(Bai et al , 2019a, Siamese GNNs (Ktena et al 2018;Ma et al 2019;Liu et al 2019a;Wang et al 2019c;Chaudhuri et al 2019) and GNN-based graph matching networks (Li et al 2019;Ling et al 2019;Bai et al 2019b;Wang et al 2019b;Jiang et al 2019;Guo et al 2018); and (3) deep graph kernels that first map graphs into a new feature space, where kernel functions are defined for similarity learning on graph pairs, including sub-structure based deep kernels (Yanardag and Vishwanathan 2015) and deep neural Du et al 2019). In the meantime, different methods may use different types of features in the learning process.…”

Section: Taxonomy Of Modelsmentioning

confidence: 99%

“…In Ma et al (2019), a higher-order GNN model is developed to encode the community-structure of brain networks during the representation learning and leverage it for the similarity learning task on these brain networks. Some more examples from other domains include the GNN-based graph similarity predictive models introduced for chemical compound queries in computational chemistry (Bai et al 2019a), and the deep graph matching networks proposed for binary function similarity search and malware detection in computer security (Li et al 2019;Wang et al 2019c).…”

Section: Introductionmentioning

confidence: 99%

Deep graph similarity learning: a survey

Ahmed

Willke

et al. 2021

Data Min Knowl Disc

Self Cite

View full text Add to dashboard Cite

In many domains where data are represented as graphs, learning a similarity metric among graphs is considered a key problem, which can further facilitate various learning tasks, such as classification, clustering, and similarity search. Recently, there has been an increasing interest in deep graph similarity learning, where the key idea is to learn a deep learning model that maps input graphs to a target space such that the distance in the target space approximates the structural distance in the input space. Here, we provide a comprehensive review of the existing literature of deep graph similarity learning. We propose a systematic taxonomy for the methods and applications. Finally, we discuss the challenges and future directions for this problem.

show abstract

“…Wang et al [28] proposed DeepHGNN, an attentional heterogeneous graph neural network model to learn from the heterogeneous program behavior graph to guide the reidentification process. Wang et al [29] presented HAGNN, a Hierarchical Attentional Graph Neural Encoder and used it for program behavior Figure 7: The case study of ACKRec bases different metapaths. The blue labels denote the real next click, the green labels are the related knowledge concepts of the field of user student:2481307 interests in.…”

Section: Related Work 51 Graph Neural Network In Heterogeneous Informentioning

confidence: 99%

Attentional Graph Convolutional Networks for Knowledge Concept Recommendation in MOOCs in a Heterogeneous View

Gong

Wang

et al. 2020

Proceedings of the 43rd International ACM SIGIR Conference on Research and Development in Information Retrieval

Self Cite

128

View full text Add to dashboard Cite

Massive open online courses (MOOCs) are becoming a modish way for education, which provides a large-scale and open-access learning opportunity for students to grasp the knowledge. To attract students' interest, the recommendation system is applied by MOOCs providers to recommend courses to students. However, as a course usually consists of a number of video lectures, with each one covering some specific knowledge concepts, directly recommending courses overlook students' interest to some specific knowledge concepts. To fill this gap, in this paper, we study the problem of knowledge concept recommendation. We propose an end-to-end graph neural network based approach called Attentional Heterogeneous Graph Convolutional Deep Knowledge Recommender (ACKRec) for knowledge concept recommendation in MOOCs. Like other recommendation problems, it suffers from sparsity issue. To address this issue, we leverage both content information and context information to learn the representation of entities via graph convolution network. In addition to students and knowledge concepts, we consider other types of entities (e.g., courses, videos, teachers) and construct a heterogeneous information network (HIN) to capture the corresponding fruitful semantic relationships among different types of entities and incorporate them into the representation learning process. Specifically, we use meta-path on the HIN to guide the propagation of students' preferences. With the help of these meta-paths, the students' preference distribution with respect to a candidate knowledge concept can be captured. Furthermore, we propose an attention mechanism to adaptively fuse the context * The first two authors contributed equally.

show abstract

Heterogeneous Graph Matching Networks for Unknown Malware Detection

Cited by 62 publications

References 25 publications

WATSON: Abstracting Behaviors from Audit Logs via Aggregation of Contextual Semantics

WATSON: Abstracting Behaviors from Audit Logs via Aggregation of Contextual Semantics

Deep graph similarity learning: a survey

Attentional Graph Convolutional Networks for Knowledge Concept Recommendation in MOOCs in a Heterogeneous View

Contact Info

Product

Resources

About