Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program...
Transcript of Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program...
![Page 1: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/1.jpg)
Deep Program Reidentification:A Graph Neural Network Solution
Shen Wang et al.
University of Illinois at Chicago, NEC Labs America
To appear in SIAM International Conference on Data Mining (SDM’19)
Presenter: Weilin Xuhttps://qdata.github.io/deep2Read
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 1 / 30
![Page 2: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/2.jpg)
Outline
1 IntroductionProblemProposed Solution
2 MethodProgram ⇒ GraphNode Feature ExtractionGraph EmbeddingChannel-Aware AttentionBinary Classification
3 Experiments
4 Conclusion
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 2 / 30
![Page 3: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/3.jpg)
Outline
1 IntroductionProblemProposed Solution
2 MethodProgram ⇒ GraphNode Feature ExtractionGraph EmbeddingChannel-Aware AttentionBinary Classification
3 Experiments
4 Conclusion
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 3 / 30
![Page 4: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/4.jpg)
Program Reidentification
Determine if an unknown program is variant of a known program.
Used to detect disguised malware or ramsomeware.
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 4 / 30
![Page 5: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/5.jpg)
Digital Code Signing is Useful
Figure: Program Properties Figure: Digital Signature
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 5 / 30
![Page 6: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/6.jpg)
Digital Code Signing is Useful, but
Not always used, especially by open source software. (False Positives)
Malware can hijack a signed program. (False Negatives)
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 6 / 30
![Page 7: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/7.jpg)
Weakness of previous techniques
Digital code signingNot always used.
Anti-virusMalware-free attack, evasive malware, etc.
Sophisticated program watermarking techniquesProhibitive computational costs.
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 7 / 30
![Page 8: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/8.jpg)
Outline
1 IntroductionProblemProposed Solution
2 MethodProgram ⇒ GraphNode Feature ExtractionGraph EmbeddingChannel-Aware AttentionBinary Classification
3 Experiments
4 Conclusion
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 8 / 30
![Page 9: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/9.jpg)
Proposed Solution
Program ⇒ Graph
Graph ⇒ Embedding.
Embedding ⇒ Identity Classification.
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 9 / 30
![Page 10: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/10.jpg)
Outline
1 IntroductionProblemProposed Solution
2 MethodProgram ⇒ GraphNode Feature ExtractionGraph EmbeddingChannel-Aware AttentionBinary Classification
3 Experiments
4 Conclusion
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 10 / 30
![Page 11: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/11.jpg)
Extract Graph from a Program
Possible choices:
Static analysisE.g. Call graph of code blocks.
Complicated, local.
Dynamic analysisE.g. System interaction graph.
Simpler, global (this paper)
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 11 / 30
![Page 12: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/12.jpg)
Extract Graph from a Program
Possible choices:
Static analysisE.g. Call graph of code blocks. Complicated, local.
Dynamic analysisE.g. System interaction graph. Simpler, global (this paper)
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 11 / 30
![Page 13: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/13.jpg)
Extract Graphs from Dynamic Behavior
Figure: Extract three graphs from program execution.Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 12 / 30
![Page 14: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/14.jpg)
Heterogeneous Graph
Three types of nodes:
Fork another program.
Read/Write a file.
Access to a network socket < IPAddr : Port >.
Solution: separate into three homogeneous graphs (meta-path).
Program - Program.
Program - File.
Program - Socket.
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 13 / 30
![Page 15: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/15.jpg)
Attentional Multi-Channel Graph Neural Network
Figure: Attentional Multi-Channel Graph Neural Network.
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 14 / 30
![Page 16: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/16.jpg)
Outline
1 IntroductionProblemProposed Solution
2 MethodProgram ⇒ GraphNode Feature ExtractionGraph EmbeddingChannel-Aware AttentionBinary Classification
3 Experiments
4 Conclusion
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 15 / 30
![Page 17: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/17.jpg)
Feature Extraction
For each node v in graph G , we extract a feature vector from
Connectivity featuresX conv = {ev ,1..., ev ,|V |}
Graph statistical featuresX statv = {X s1
v ,X s2v ,X s3
v ,X s4v }
Degree centralityCloseness centralityBetweenness centralityClustering coefficient
How to combine as Xv? Concatenation?
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 16 / 30
![Page 18: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/18.jpg)
Feature Extraction
For each node v in graph G , we extract a feature vector from
Connectivity featuresX conv = {ev ,1..., ev ,|V |}
Graph statistical featuresX statv = {X s1
v ,X s2v ,X s3
v ,X s4v }
Degree centralityCloseness centralityBetweenness centralityClustering coefficient
How to combine as Xv? Concatenation?
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 16 / 30
![Page 19: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/19.jpg)
Outline
1 IntroductionProblemProposed Solution
2 MethodProgram ⇒ GraphNode Feature ExtractionGraph EmbeddingChannel-Aware AttentionBinary Classification
3 Experiments
4 Conclusion
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 17 / 30
![Page 20: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/20.jpg)
Graph Embedding Function
Given homogeneous graph (single channel)G = (V ,E ,A), each V associated with feature X (|V | × (|V |+ 4)?)
Goal: to construct and learn a graph embedding function fG : G → hG
Proposed form: a three-layer Contextual Graph Encoder
h1 = ReLU((PX )W 0)h2 = ReLU((Ph1)W 1)h3 = ReLU((Ph2)W 2)
hG = hvt = h3
Each layer: hl = PROP(hl) = Phl (h0 = X )hl+1 = PERCE (hl) = σ(hlW l) = ReLU(hlW l)
W l : shared trainable weight matrix for all entities at layer l .
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 18 / 30
![Page 21: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/21.jpg)
Graph Embedding Function
Given homogeneous graph (single channel)G = (V ,E ,A), each V associated with feature X (|V | × (|V |+ 4)?)
Goal: to construct and learn a graph embedding function fG : G → hG
Proposed form: a three-layer Contextual Graph Encoder
h1 = ReLU((PX )W 0)h2 = ReLU((Ph1)W 1)h3 = ReLU((Ph2)W 2)
hG = hvt = h3
Each layer: hl = PROP(hl) = Phl (h0 = X )hl+1 = PERCE (hl) = σ(hlW l) = ReLU(hlW l)
W l : shared trainable weight matrix for all entities at layer l .
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 18 / 30
![Page 22: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/22.jpg)
Graph Embedding Function
Given homogeneous graph (single channel)G = (V ,E ,A), each V associated with feature X (|V | × (|V |+ 4)?)
Goal: to construct and learn a graph embedding function fG : G → hG
Proposed form: a three-layer Contextual Graph Encoder
h1 = ReLU((PX )W 0)h2 = ReLU((Ph1)W 1)h3 = ReLU((Ph2)W 2)
hG = hvt = h3
Each layer: hl = PROP(hl) = Phl (h0 = X )hl+1 = PERCE (hl) = σ(hlW l) = ReLU(hlW l)
W l : shared trainable weight matrix for all entities at layer l .
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 18 / 30
![Page 23: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/23.jpg)
Propagation Function based on Random Walk
hl = PROP(hl)
= Phl
= D−1Ahl
= diag(A1)−1Ahl
(1)
A: Adjacency matrix; 1: all one vector.D = diag(A1): degree matrix of A.P = D−1A: propagation matrix shared in each layer.
Implication: weighted sum of the contexts’ current representation.hl =
∑u∈N(vt)
Puvthl , F = {N(vt)}: receptive field
P ∈ RN×N : converged stationary distribution of the Markov process.i th row: likelihood of diffusion from entity.
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 19 / 30
![Page 24: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/24.jpg)
Propagation Function based on Random Walk
hl = PROP(hl)
= Phl
= D−1Ahl
= diag(A1)−1Ahl
(1)
A: Adjacency matrix; 1: all one vector.D = diag(A1): degree matrix of A.P = D−1A: propagation matrix shared in each layer.
Implication: weighted sum of the contexts’ current representation.hl =
∑u∈N(vt)
Puvthl , F = {N(vt)}: receptive field
P ∈ RN×N : converged stationary distribution of the Markov process.i th row: likelihood of diffusion from entity.
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 19 / 30
![Page 25: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/25.jpg)
Propagation Matrix Example
12
3
A =0 1 01 0 01 0 0
D =2 0 00 1 00 0 1
𝐷() =
12 0 00 1 00 0 1
𝑃 = 𝐷()𝐴 =
12 0 00 1 00 0 1
0 1 01 0 01 0 0
=0
12
12
1 0 01 0 0
Figure: Propagation matrix example.
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 20 / 30
![Page 26: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/26.jpg)
Outline
1 IntroductionProblemProposed Solution
2 MethodProgram ⇒ GraphNode Feature ExtractionGraph EmbeddingChannel-Aware AttentionBinary Classification
3 Experiments
4 Conclusion
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 21 / 30
![Page 27: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/27.jpg)
Motivation
Treat three channels differently
Programs;
Files;
Sockets.
Example
Ransomware: active in files.
VPN: active in socket.
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 22 / 30
![Page 28: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/28.jpg)
Attention Weight
Attention weight ATT (hGi) for channel i :
αi =exp( σ(a[WahGi
||WahGk]) )∑
k ′∈|C | exp(σ(a[WahGi||WahGk′ ]))
Each channel i = 1, 2, ..., |C |hGi
: graph embedding of a target channelhGk
: graph embedding of other channels.a: trainable attention vector.Wa: trainable weight mapping (input features ⇒ hidden space)||: concatenationσ: nonlinear gating function.
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 23 / 30
![Page 29: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/29.jpg)
Joint Representation of All Channels
Joint representation of all channels:
hGJoin=
|C |∑i=1
ATT (hGi) hGi
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 24 / 30
![Page 30: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/30.jpg)
Outline
1 IntroductionProblemProposed Solution
2 MethodProgram ⇒ GraphNode Feature ExtractionGraph EmbeddingChannel-Aware AttentionBinary Classification
3 Experiments
4 Conclusion
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 25 / 30
![Page 31: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/31.jpg)
Program Reidentification
Train a binary classifier for each known program.Input: A claimed program event data.Prediction: If the program behaves like the claimed one.
Logistic regression classifier.
Binary cross entropy loss.
Adam optimizer.
Early stopping with good accuracy.
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 26 / 30
![Page 32: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/32.jpg)
Experimental Setup
Dataset: Real-world system monitoring data of 3 Terabytes.87 machines over 20 weeks.300M events, 2K processes, 600K files, 18K sockets.Behavior graph per program per day.
Baselines.
LR, SVM, XGB, MLP using raw features.MLP: special case that PROP() is identity matrix.
Metrics: ACC, F-1 score, AUC, precision and recall.
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 27 / 30
![Page 33: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/33.jpg)
Result
Figure: Comparison of other classification methods.Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 28 / 30
![Page 34: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/34.jpg)
Conclusion
DeepRe-ID, an attentional graph neural network method to verifythe program identity based on behavior graph.
Can encode heterogeneous complex dependency.
Outperform all baseline methods.
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 29 / 30
![Page 35: Deep Program Reidentification: A Graph Neural Network Solution · 2020-01-26 · Deep Program Reidenti cation: A Graph Neural Network Solution Shen Wang et al. University of Illinois](https://reader033.fdocuments.in/reader033/viewer/2022050505/5f972751e115c56a1a07432b/html5/thumbnails/35.jpg)
Discussions
Drawbacks:
No open dataset or open source code.
Require feature engineering: graph statistical features.
Require adjacency matrix.
Binary classification with many classes.
No interpretation of trained models.
Shen Wang et al. (UIC, NEC Labs) Deep Program Reidentification: A Graph Neural Network SolutionPresenter: Weilin Xu https://qdata.github.io/deep2Read 30 / 30