Detecting unauthorized access to computer networks through graph transformers

Abstract

The proliferation of digital technologies, while enhancing productivity and access to new tools, has concurrently created opportunities for cybercriminals. This has led to a surge in digital abuses and cybercrimes, resulting in substantial losses for individuals, businesses, and governments. Advanced Persistent Threats (APTs) are central to many attacks, characterized by stealthy, gradual network infiltration to achieve objectives such as data theft and sabotage. Lateral movement, a decisive phase in APT campaigns, allows adversaries to consolidate their presence. Anomalous authentications serve as critical indicators of lateral movement, as they reveal intruder transitions between devices, often leveraging stolen credentials and exploiting vulnerabilities. Since computer network interactions form graph-structured data, graph-based algorithms, such as Graph Neural Networks (GNNs) and Graph Transformers (GTs), can be

employed to detect anomalous interactions indicative of attacks within the computer net- works. However, the effectiveness of these methods hinges on the representational power and

performance of the graph models. Efficient node embedding aggregation in GNNs is pivotal for representing graph topology; existing simple aggregation methods (sum, mean, max) are

limited, while the computational complexity of sophisticated approaches, such as Transformer- based methods, poses challenges for large graphs, despite their improved ability to capture

long-range dependencies. Furthermore, many existing approaches neglect the temporal aspect of network events, which are inherently time-dependent. This work explores GNNs and GTs for unauthorized access detection in computer networks in two distinct experiments. First, we

propose a link prediction approach incorporating a soft-attention mechanism to filter irrele- vant node information during node representation aggregation. Second, we leverage recent

advances in Transformer architectures for large graphs and propose a novel node classification

approach for anomalous authentication detection that explicitly addresses the temporal depen- dencies between events at different granularities. The proposed models were trained on public

datasets containing authentication logs from corporate networks. Experimental results showed that the proposed methods outperform state-of-the-art approaches in detecting anomalous authentications.