Abstract
A multi-step targeted cyberattack refers to a sophisticated, systematic, and persistent form of attack aiming to compromise the security and integrity of a complex network system. These attacks exhibit spatial and temporal correlations in their execution sequences. However, conventional anomaly detection methods, which often focus on single facets such as network traffic or host behavior, lack the capacity to correlate and validate these steps. To address this deficiency, we introduce HiSec, a cyber threat correlation and discovery framework that leverages dynamic graph modeling and hierarchical graph neural networks. HiSec enhances the modeling of complex network systems and the analysis of spatio-temporal characteristics of multi-step targeted cyberattacks. Specifically, we introduce a novel dynamic graph modeling algorithm that employs overlapping samplers and sliding windows to establish long-term correlations among system activities. Aided by graph attention networks and the Transformer, HiSec uniquely exploits the spatio-temporal correlated edge feature representation, a capability inaccessible to traditional algorithms. Evaluation results reveal that HiSec surpasses existing benchmarks in unsupervised detection, achieving a high degree of accuracy (93.10%) and recall (94.77%). When deployed in our intranet for two rounds of evaluation, HiSec demonstrated remarkable efficiency, taking only 0.15 seconds to model 10,000 system activities occurring within approximately an hour.