计算机科学
推论
聚类分析
异常检测
分拆(数论)
数据挖掘
图形
计算复杂性理论
理论计算机科学
节点(物理)
特征(语言学)
大数据
图划分
注意力网络
时间复杂性
入侵检测系统
机器学习
变量(数学)
分布式计算
人工智能
功能(生物学)
信息丢失
数据建模
作者
Lijuan Xu,ZiCheng Zhao,Dawei Zhao,Zheng Wang,Chunpeng Ge
标识
DOI:10.1109/tifs.2026.3653175
摘要
Provenance graph-based anomaly detection, particularly for Advanced Persistent Threat (APT) detection, addresses the issues of large-scale graphs and data imbalance. However, existing methods struggle with information loss, high computational complexity, and low detection accuracy. To address the above challenges, this paper proposes TraceCluster, a lightweight and adaptive clustering-based Subgraph Attention Network (SAN) for APT detection in provenance graph. TraceCluster mitigates the neighborhood explosion problem by clustering nodes to partition large-scale graphs, thus reducing reliance on the global graph while preserving local neighborhood information. Furthermore, the method dynamically models complex inter-node dependencies within subgraphs. It employs an attention mechanism to adaptively highlight the most relevant connections. This enhances node representations and improves overall feature extraction. This design substantially reduces memory consumption and avoids the high computational complexity of global graph processing. In addition, an adaptive category-weighting loss function assigns variable weights to different classes, improving the detection of rare and anomalous behaviors. Experimental results show that on the OpTC dataset, the currently faster method is 37-fold and 3-fold slower than our approach in terms of inference time respectively. Furthermore, in the nine real-world scenarios of four evaluated datasets, TraceCluster outperforms state-of-the-art (SOTA) approaches in terms of overall performance, especially in node-level APT detection tasks.
科研通智能强力驱动
Strongly Powered by AbleSci AI