Graph-based detection of multi-step attacks using graph convolutional networks

Multi-step attacks, including advanced persistent threats (APT), distributed denial of service (DDoS) and botnets, are still among the most sophisticated threats that modern organisations are experiencing today. Most traditional methods of detecting these threats have difficulties identifying unknown types of events from unknown sources. In this study, we introduce a reproducible GCN-based event-log correlation framework for Multi-step attack detection. In this work, we replicated GC-PTransE for APT reasoning (Phase-1), then extended GC-PTransE into practical lightweight variants for DDoS and Botnet detection (Phase-3) using a common PyG graph interface. Our models demonstrated significant improvements over all categories of attacks. Using the CICIDS2017 (DDoS) dataset, our model achieved 98% accuracy, 100% precision, and 94% recall. With the CTU-13 (Botnet) dataset, GETrans++ achieved 98% accuracy, 100% precision, and 47% recall. The 72% APT-relevance hit rate from our Phase 1 replication demonstrates that GCN can be deployed, providing good efficiency. Finally, by using neighbourhood batching, we avoided the need to store entire graphs in memory, thereby allowing for deployments on commodity CPU/GPU architectures. Limitations of this study included the class imbalance in enterprise logs (Phase 2) and the lack of heterogeneous operational datasets, both of which were identified as areas for future study.