Cyber Threat Detection using Machine Learning on Graphs : Continuous-Time Temporal Graph Learning on Provenance Graphs

Sammanfattning: Cyber attacks are ubiquitous and increasingly prevalent in industry, society, and governmental departments. They affect the economy, politics, and individuals. Ever-increasingly skilled, organized, and funded threat actors combined with ever-increasing volumes and modalities of data require increasingly sophisticated and innovative cyber defense solutions. Current state-of-the-art security systems conduct threat detection on dynamic graph representations of computer systems and enterprise communication networks known as provenance graphs. Most of these security systems are statistics-based, based on rules defined by domain experts, or discard temporal information, and as such come with a set of drawbacks (e.g., incapability to pinpoint the attack, incapability to adapt to evolving systems, reduced expressibility due to lack of temporal information). At the same time, there is little research in the machine learning community on graphs such as provenance graphs, which are a form of largescale, heterogeneous, and continuous-time dynamic graphs, as most research on graph learning has been devoted to static homogeneous graphs to date. Therefore, this thesis aims to bridge these two fields and investigate the potential of learning-based methods operating on continuous-time dynamic provenance graphs for cyber threat detection. Without loss of generality, this work adopts the general Temporal Graph Networks framework for learning representations and detecting anomalies in such graphs. This method explicitly addresses the drawbacks of current security systems by considering the temporal setting and bringing the adaptability of learning-based methods. In doing so, it also introduces and releases two large-scale, continuoustime temporal, heterogeneous benchmark graph datasets with expert-labeled anomalies to foster future research on representation learning and anomaly detection on complex real-world networks. To the best of the author’s knowledge, these are one of the first datasets of their kind. Extensive experimental analyses of modules, datasets, and baselines validate the potency of continuous-time graph neural network-based learning, endorsing its practical applicability to the detection of cyber threats and possibly other semantically meaningful anomalies in similar real-world systems.