Authors:
Yuchen Guo
and
James Pope
Affiliation:
Intelligent Systems Laboratory, School of Engineering Mathematics and Technology, University of Bristol, Bristol, U.K.
Keyword(s):
Graph Neural Network, Anomaly Detection, Computer Security.
Abstract:
Internet of Things (IoT) devices bring an attack surface closer to personal life and industrial production. With containers as the primary method of IoT application deployment, detecting container escapes by analyzing audit logs can identify compromised edge devices. Since audit log data contains temporal property of events and relational information between system entities, existing analysis methods cannot comprehensively analyze these two properties. In this paper, a new Temporal Graph Neural Network (GNN) -based model was designed to detect anomalies of IoT applications in a container environment. The model employed Gated Recurrent Unit (GRU) and Graph Isomorphism Network (GIN) operators to capture temporal and spatial features. Using unsupervised learning to model the application’s normal behavior, the model can detect unknown anomalies that have not appeared in training. The model is trained on a dynamic graph generated from audit logs, which records security events in a system.
Due to the lack of real-world datasets, we conducted experiments on a simulated dataset. Audit log records are divided into multiple graphs according to their temporal attribute to form a dynamic graph. Some nodes and edges are aggregated or removed to reduce the complexity of the graph. In the Experiments, The model has an F1 score of 0.976 on the validation set, which outperforms the best-performing baseline model, with an F1 score of 0.845.
(More)