TY - GEN
T1 - HyperTTC
T2 - 2025 International Conference on Computing, Networking and Communications, ICNC 2025
AU - Du, Wenhui
AU - He, Yuanhang
AU - Li, Gaolei
AU - Yang, Xiao
AU - Li, Jianhua
AU - Ren, Ge
AU - Zhou, Kai
N1 - Publisher Copyright:
© 2025 IEEE.
PY - 2025/5
Y1 - 2025/5
N2 - Cybersecurity professionals often encounter a significant semantic gap between low-level traffic audits and high-level system behaviors, which hinders effective tactic recognition of advanced persistent threats (APTs). Existing provenance graph-based traffic clustering methods uses binary relation to detect attack actions, which can not adequately capture complex interactions among multiple entities. To identify attack tactics from fragmented traffic audits on multiple entities, in this paper we propose a novel hypergraph-empowered tactic-specific traffic clustering (HyperTTC) scheme, which leverages the transformative potential of hypergraphs to aggregate entities that carry the same APT attack tactic together. Different from existing methods, HyperTTC is capable of achieving atomized APT detection, where each attack tactic can be identified with the combination of multi-dimension relations. By constructing a hypergraph structure of fragmented traffic audits, HyperTTC provides an exhaustive representation of APT behaviors, thereby enhancing detection precision and bolstering resilience against sophisticated attack strategies. Extensive experiments on real-world datasets validate the effectiveness of HyperTTC for the F1 score is 12.5% higher than the state of the art method.
AB - Cybersecurity professionals often encounter a significant semantic gap between low-level traffic audits and high-level system behaviors, which hinders effective tactic recognition of advanced persistent threats (APTs). Existing provenance graph-based traffic clustering methods uses binary relation to detect attack actions, which can not adequately capture complex interactions among multiple entities. To identify attack tactics from fragmented traffic audits on multiple entities, in this paper we propose a novel hypergraph-empowered tactic-specific traffic clustering (HyperTTC) scheme, which leverages the transformative potential of hypergraphs to aggregate entities that carry the same APT attack tactic together. Different from existing methods, HyperTTC is capable of achieving atomized APT detection, where each attack tactic can be identified with the combination of multi-dimension relations. By constructing a hypergraph structure of fragmented traffic audits, HyperTTC provides an exhaustive representation of APT behaviors, thereby enhancing detection precision and bolstering resilience against sophisticated attack strategies. Extensive experiments on real-world datasets validate the effectiveness of HyperTTC for the F1 score is 12.5% higher than the state of the art method.
KW - Hypergraph learning
KW - Intrusion detection
KW - Supervised learning
UR - https://www.scopus.com/pages/publications/105006584799
U2 - 10.1109/ICNC64010.2025.10993920
DO - 10.1109/ICNC64010.2025.10993920
M3 - Conference article published in proceeding or book
AN - SCOPUS:105006584799
T3 - 2025 International Conference on Computing, Networking and Communications, ICNC 2025
SP - 318
EP - 322
BT - 2025 International Conference on Computing, Networking and Communications, ICNC 2025
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 17 February 2025 through 20 February 2025
ER -