Program or process is an integral part of almost every IT/OT system. Can we trust the identity/ID (e.g., executable name) of the program? To avoid detection, malware may disguise itself using the ID of a legitimate program, and a system tool (e.g., PowerShell) used by the attackers may have the fake ID of another common software, which is less sensitive. However, existing intrusion detection techniques often overlook this critical program reidentification problem (i.e., checking the program's identity). In this paper, we propose an attentional heterogeneous graph neural network model (DeepHGNN) to verify the program's identity based on its system behaviors. The key idea is to leverage the representation learning of the heterogeneous program behavior graph to guide the reidentification process. We formulate the program reidentification as a graph classification problem and develop an effective attentional heterogeneous graph embedding algorithm to solve it. Extensive experiments --- using real-world enterprise monitoring data and real attacks --- demonstrate the effectiveness of DeepHGNN across multiple popular metrics and the robustness to the normal dynamic changes like program version upgrades.
@article{arxiv.1812.04064,
title = {Attentional Heterogeneous Graph Neural Network: Application to Program Reidentification},
author = {Shen Wang and Zhengzhang Chen and Ding Li and Lu-An Tang and Jingchao Ni and Zhichun Li and Junghwan Rhee and Haifeng Chen and Philip S. Yu},
journal= {arXiv preprint arXiv:1812.04064},
year = {2019}
}