{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,21]],"date-time":"2026-05-21T10:32:59Z","timestamp":1779359579923,"version":"3.51.4"},"reference-count":36,"publisher":"Wiley","license":[{"start":{"date-parts":[[2021,5,4]],"date-time":"2021-05-04T00:00:00Z","timestamp":1620086400000},"content-version":"unspecified","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"National Key Research and Development Program of China","award":["2019YFB2102002"],"award-info":[{"award-number":["2019YFB2102002"]}]},{"name":"National Key Research and Development Program of China","award":["BE2019012"],"award-info":[{"award-number":["BE2019012"]}]},{"name":"Key Research and Development Program of Jiangsu Province","award":["2019YFB2102002"],"award-info":[{"award-number":["2019YFB2102002"]}]},{"name":"Key Research and Development Program of Jiangsu Province","award":["BE2019012"],"award-info":[{"award-number":["BE2019012"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Security and Communication Networks"],"published-print":{"date-parts":[[2021,5,4]]},"abstract":"<jats:p>Advanced Persistent Threats (APTs) are the most sophisticated attacks for modern information systems. Currently, more and more researchers begin to focus on graph-based anomaly detection methods that leverage graph data to model normal behaviors and detect outliers for defending against APTs. However, previous studies of provenance graphs mainly concentrate on system calls, leading to difficulties in modeling network behaviors. Coarse-grained correlation graphs depend on handcrafted graph construction rules and, thus, cannot adequately explore log node attributes. Besides, the traditional Graph Neural Networks (GNNs) fail to consider meaningful edge features and are difficult to perform heterogeneous graphs embedding. To overcome the limitations of the existing approaches, we present a hierarchical approach for APT detection with novel attention-based GNNs. We propose a metapath aggregated GNN for provenance graph embedding and an edge enhanced GNN for host interactive graph embedding; thus, APT behaviors can be captured at both the system and network levels. A novel enhancement mechanism is also introduced to dynamically update the detection model in the hierarchical detection framework. Evaluations show that the proposed method outperforms the state-of-the-art baselines in APT detection.<\/jats:p>","DOI":"10.1155\/2021\/9961342","type":"journal-article","created":{"date-parts":[[2021,5,4]],"date-time":"2021-05-04T23:22:15Z","timestamp":1620170535000},"page":"1-14","source":"Crossref","is-referenced-by-count":36,"title":["A Hierarchical Approach for Advanced Persistent Threat Detection with Attention-Based Graph Neural Networks"],"prefix":"10.1155","volume":"2021","author":[{"given":"Zitong","family":"Li","sequence":"first","affiliation":[{"name":"College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing 21106, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xiang","family":"Cheng","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing 21106, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Lixiao","family":"Sun","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing 21106, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ji","family":"Zhang","sequence":"additional","affiliation":[{"name":"School of Sciences, University of Southern Queensland, Toowoomba 4350, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2863-5441","authenticated-orcid":true,"given":"Bing","family":"Chen","sequence":"additional","affiliation":[{"name":"College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing 21106, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"311","reference":[{"key":"1","first-page":"1137","article-title":"Holmes: real-time APT detection through correlation of suspicious information flows","author":"S. M. Milajerdi"},{"key":"2","article-title":"UNICORN: runtime provenance-based detector for advanced persistent threats","author":"X. Y. Han"},{"key":"3","first-page":"1777","article-title":"Log2vec: a heterogeneous graph embedding based approach for detecting cyber threats within enterprise","author":"F. Liu"},{"key":"4","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2020.01.032"},{"key":"5","doi-asserted-by":"publisher","DOI":"10.1109\/comst.2019.2891891"},{"key":"6","first-page":"1","article-title":"Early detection of cyber security threats using structured behavior modeling","volume":"5","author":"X. Yan","year":"2013","journal-title":"Transactions on Information and System Security"},{"key":"7","doi-asserted-by":"crossref","DOI":"10.1201\/b16390","volume-title":"The State of the Art in Intrusion Prevention and Detection","author":"A. S. K. Pathan","year":"2014"},{"key":"8","first-page":"1285","article-title":"DeepLog: anomaly detection and diagnosis from system logs through deep learning","author":"M. Du"},{"key":"9","first-page":"718","article-title":"Unsupervised ensemble based learning for insider threat detection","author":"P. Parveen"},{"key":"10","first-page":"1283","article-title":"Lifelong anomaly detection through unlearning","author":"M. Du"},{"key":"11","first-page":"1052","article-title":"LogLens: a real-time log analysis system,","author":"B. Debnath"},{"key":"12","doi-asserted-by":"publisher","DOI":"10.1007\/s10618-014-0365-y"},{"key":"13","first-page":"1035","article-title":"Fast memory-efficient anomaly detection in streaming heterogeneous graphs","author":"E. Manzoor"},{"key":"14","article-title":"Threat detection and investigation with system-level provenance graphs: a survey","author":"Z. Li","year":"2020"},{"key":"15","first-page":"487","article-title":"Real-time attack scenario reconstruction from COTS audit data","author":"M. N. Hossain"},{"key":"16","first-page":"1813","article-title":"Poirot: aligning attack behavior with kernel audit records for cyber threat hunting","author":"S. M. Milajerdi"},{"key":"17","first-page":"583","article-title":"Hercule: attack story reconstruction via community discovery on correlated log graph","author":"K. Pei"},{"key":"18","first-page":"701","article-title":"DeepWalk: online learning of social representations","author":"B. Perozzi"},{"key":"19","first-page":"855","article-title":"Node2vec: scalable feature learning for networks","author":"A. Grover"},{"key":"20","first-page":"1025","article-title":"Inductive representation learning on large graph","author":"W. L. Hamilton"},{"key":"21","article-title":"Semi-supervised classification with graph convolutional networks","author":"T. N. Kipf"},{"key":"22","article-title":"Graph attention networks","author":"P. Veli\u010dkovi\u0107"},{"key":"23","doi-asserted-by":"publisher","DOI":"10.1137\/1.9781611975673.67"},{"key":"24","first-page":"4419","article-title":"AddGraph: anomaly detection in dynamic graph using attention-based temporal GCN","author":"L. Zheng"},{"key":"25","first-page":"592","article-title":"Tiresias: predicting security events through deep learning","author":"Y. Shen"},{"key":"26","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-35170-9_6"},{"key":"27","first-page":"405","article-title":"Practical whole-system provenance capture","author":"T. Pasquier"},{"key":"28","doi-asserted-by":"publisher","DOI":"10.1145\/1165389.945467"},{"key":"29","article-title":"Towards a timely causality analysis for enterprise security","author":"Y. Liu"},{"key":"30","article-title":"Combatting threat alert fatigue with automated provenance triage","author":"W. U. Hassan"},{"key":"31","first-page":"1","article-title":"Insider threat event detection in user-system interactions","author":"P. Moriano"},{"key":"32","first-page":"1418","article-title":"Needle in a haystack: attack detection from large-scale system audit","author":"Y. Han"},{"key":"33","article-title":"Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains","author":"E. Hutchins"},{"key":"34","first-page":"259","article-title":"Hi-fi: collecting high-fidelity whole-system provenance","author":"D. J. Pohly"},{"key":"35","first-page":"319","article-title":"Trustworthy whole-system provenance for the Linux kernel","author":"A. M. Bates"},{"key":"36","first-page":"224","article-title":"An unsupervised multi-detector approach for identifying malicious lateral movement","author":"A. Bohara"}],"container-title":["Security and Communication Networks"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/downloads.hindawi.com\/journals\/scn\/2021\/9961342.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/downloads.hindawi.com\/journals\/scn\/2021\/9961342.xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/downloads.hindawi.com\/journals\/scn\/2021\/9961342.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,5,4]],"date-time":"2021-05-04T23:22:24Z","timestamp":1620170544000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.hindawi.com\/journals\/scn\/2021\/9961342\/"}},"subtitle":[],"editor":[{"given":"Weizhi","family":"Meng","sequence":"additional","affiliation":[],"role":[{"role":"editor","vocabulary":"crossref"}]}],"short-title":[],"issued":{"date-parts":[[2021,5,4]]},"references-count":36,"alternative-id":["9961342","9961342"],"URL":"https:\/\/doi.org\/10.1155\/2021\/9961342","relation":{},"ISSN":["1939-0122","1939-0114"],"issn-type":[{"value":"1939-0122","type":"electronic"},{"value":"1939-0114","type":"print"}],"subject":[],"published":{"date-parts":[[2021,5,4]]}}}