Advanced Persistent Threats (APTs) represent a significant challenge in cybersecurity due to their sophisticated and stealthy nature. Traditional Intrusion Detection Systems (IDS) often fall short in detecting these multi-stage attacks. Recently, Graph Neural Networks (GNNs) have been employed to enhance IDS capabilities by analyzing the complex relationships within networked data. However, existing GNN-based solutions are hampered by high false positive rates and substantial resource consumption. In this paper, we present a novel IDS designed to detect APTs using a Spatio-Temporal Graph Neural Network Autoencoder. Our approach leverages spatial information to understand the interactions between entities within a graph and temporal information to capture the evolution of the graph over time. This dual perspective is crucial for identifying the sequential stages of APTs. Furthermore, to address privacy and scalability concerns, we deploy our architecture in a federated learning environment. This setup ensures that local data remains on-premise while encrypted model-weights are shared and aggregated using homomorphic encryption, maintaining data privacy and security. Our evaluation shows that this system effectively detects APTs with lower false positive rates and optimized resource usage compared to existing methods, highlighting the potential of spatio-temporal analysis and federated learning in enhancing cybersecurity defenses.

本研究解决了传统入侵检测系统在检测复杂的APT攻击时面临的高误报率和资源消耗问题。我们提出了一种新的入侵检测系统，采用时空图神经网络自编码器，利用时空信息来识别APT的各个阶段，并在联邦学习环境中确保数据隐私和安全。评估结果表明，该系统在检测APT时表现出更低的误报率和优化的资源使用，展示了时空分析和联邦学习在增强网络安全防御方面的潜力。

连续体：通过时空图神经网络检测APT攻击