Detecting unauthorized access to computer networks through graph transformers

Detalhes bibliográficos
Ano de defesa: 2025
Autor(a) principal: SOUSA, Luis Fred Gonçalves de
Orientador(a): Não Informado pela instituição
Banca de defesa: Não Informado pela instituição
Tipo de documento: Tese
Tipo de acesso: Acesso aberto
Idioma: eng
Instituição de defesa: Universidade Federal de Pernambuco
UFPE
Brasil
Programa de Pos Graduacao em Ciencia da Computacao
Programa de Pós-Graduação: Não Informado pela instituição
Departamento: Não Informado pela instituição
País: Não Informado pela instituição
Palavras-chave em Português:
Cyber security
Advanced persistent threats
Graph neural networks
Link de acesso: https://repositorio.ufpe.br/handle/123456789/64858
Resumo: The proliferation of digital technologies, while enhancing productivity and access to new tools, has concurrently created opportunities for cybercriminals. This has led to a surge in digital abuses and cybercrimes, resulting in substantial losses for individuals, businesses, and governments. Advanced Persistent Threats (APTs) are central to many attacks, characterized by stealthy, gradual network infiltration to achieve objectives such as data theft and sabotage. Lateral movement, a decisive phase in APT campaigns, allows adversaries to consolidate their presence. Anomalous authentications serve as critical indicators of lateral movement, as they reveal intruder transitions between devices, often leveraging stolen credentials and exploiting vulnerabilities. Since computer network interactions form graph-structured data, graph-based algorithms, such as Graph Neural Networks (GNNs) and Graph Transformers (GTs), can be employed to detect anomalous interactions indicative of attacks within the computer net- works. However, the effectiveness of these methods hinges on the representational power and performance of the graph models. Efficient node embedding aggregation in GNNs is pivotal for representing graph topology; existing simple aggregation methods (sum, mean, max) are limited, while the computational complexity of sophisticated approaches, such as Transformer- based methods, poses challenges for large graphs, despite their improved ability to capture long-range dependencies. Furthermore, many existing approaches neglect the temporal aspect of network events, which are inherently time-dependent. This work explores GNNs and GTs for unauthorized access detection in computer networks in two distinct experiments. First, we propose a link prediction approach incorporating a soft-attention mechanism to filter irrele- vant node information during node representation aggregation. Second, we leverage recent advances in Transformer architectures for large graphs and propose a novel node classification approach for anomalous authentication detection that explicitly addresses the temporal depen- dencies between events at different granularities. The proposed models were trained on public datasets containing authentication logs from corporate networks. Experimental results showed that the proposed methods outperform state-of-the-art approaches in detecting anomalous authentications.
id UFPE_b454736ffe7b4d76149b665535bd4f63
oai_identifier_str oai:repositorio.ufpe.br:123456789/64858
network_acronym_str UFPE
network_name_str Repositório Institucional da UFPE
repository_id_str
spelling Detecting unauthorized access to computer networks through graph transformersCyber securityAdvanced persistent threatsGraph neural networksThe proliferation of digital technologies, while enhancing productivity and access to new tools, has concurrently created opportunities for cybercriminals. This has led to a surge in digital abuses and cybercrimes, resulting in substantial losses for individuals, businesses, and governments. Advanced Persistent Threats (APTs) are central to many attacks, characterized by stealthy, gradual network infiltration to achieve objectives such as data theft and sabotage. Lateral movement, a decisive phase in APT campaigns, allows adversaries to consolidate their presence. Anomalous authentications serve as critical indicators of lateral movement, as they reveal intruder transitions between devices, often leveraging stolen credentials and exploiting vulnerabilities. Since computer network interactions form graph-structured data, graph-based algorithms, such as Graph Neural Networks (GNNs) and Graph Transformers (GTs), can be employed to detect anomalous interactions indicative of attacks within the computer net- works. However, the effectiveness of these methods hinges on the representational power and performance of the graph models. Efficient node embedding aggregation in GNNs is pivotal for representing graph topology; existing simple aggregation methods (sum, mean, max) are limited, while the computational complexity of sophisticated approaches, such as Transformer- based methods, poses challenges for large graphs, despite their improved ability to capture long-range dependencies. Furthermore, many existing approaches neglect the temporal aspect of network events, which are inherently time-dependent. This work explores GNNs and GTs for unauthorized access detection in computer networks in two distinct experiments. First, we propose a link prediction approach incorporating a soft-attention mechanism to filter irrele- vant node information during node representation aggregation. Second, we leverage recent advances in Transformer architectures for large graphs and propose a novel node classification approach for anomalous authentication detection that explicitly addresses the temporal depen- dencies between events at different granularities. The proposed models were trained on public datasets containing authentication logs from corporate networks. Experimental results showed that the proposed methods outperform state-of-the-art approaches in detecting anomalous authentications.A crescente adoção de novas tecnologias digitais tem ampliado as oportunidades para a prática de crimes cibernéticos, causando perdas significativas para indivíduos, organizações e gover- nos. Entre as principais ameaças, estão as Advanced Persistent Threats (APT), nas quais os intrusos estabelecem um ponto de apoio inicial e expandem furtivamente sua presença na rede, acessando novos dispositivos e adquirindo mais informações sobre o alvo. O Movimento Lateral é uma etapa decisiva deste ataque, já que fortalece a presença do intruso na rede do alvo. Autenticações anômalas, frequentemente indicativas de alternâncias não autorizadas en- tre os dispositivos, são indicadores-chave desse estágio. A identificação de tais eventos tem o potencial de mitigar o movimento lateral e atrasar o avanço de um ataque em curso. Como as interações em redes de computadores formam grafos, algoritmos como Graph Neural Networks (GNN) e Transformers podem ajudar a identificar relações incomuns. No entanto, o sucesso na detecção de tais anomalias usando esses métodos está condicionado à sua capacidade de re- presentação de grafos. A agregação eficaz de embeddings de nó em GNNs é determinante para representar devidamente a topologia do grafo, algo que muitos métodos ainda não alcançam plenamente. Além disso, a complexidade computacional de abordagens mais sofisticadas, como as baseadas em Transformers, é outro desafio em grafos de grande escala, apesar de melhora- rem a captura de padrões em nós distantes. Neste trabalho, exploramos GNNs e Transformers no problema da detecção de acessos não autorizados em redes de computadores em dois ex- perimentos complementares. Em um primeiro estudo, propomos uma abordagem baseada em predição de links entre os vértices, com um mecanismo soft-attention que facilita a agregação de representações de nó ao filtrar informações irrelevantes dos vértices. No segundo estudo, exploramos avanços recentes na literatura para a arquitetura transformer considerando grandes grafos e propomos uma nova abordagem baseada em classificação de vértices para detecção de autenticações anômalas. Essa abordagem permite considerar a dependência temporal entre os eventos em diferentes níveis de granularidade. Os modelos propostos foram avaliados em datasets públicos contendo registros de autenticação em redes corporativas. Os resultados experimentais mostraram que os métodos propostos superam as abordagens concorrentes do estado da arte na detecção de autenticações anômalas.Universidade Federal de PernambucoUFPEBrasilPrograma de Pos Graduacao em Ciencia da ComputacaoZANCHETTIN, Cleberhttp://lattes.cnpq.br/2004244088757573http://lattes.cnpq.br/1244195230407619SOUSA, Luis Fred Gonçalves de2025-08-06T12:33:02Z2025-08-06T12:33:02Z2025-04-04info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/doctoralThesisapplication/pdfSOUSA, Luis Fred Gonçalves de. Detecting unauthorized access to computer networks through graph transformers. 2025. Tese (Doutorado em Ciências da Computação) – Universidade Federal de Pernambuco, Recife, 2025.https://repositorio.ufpe.br/handle/123456789/64858enghttps://creativecommons.org/licenses/by-nc-nd/4.0/info:eu-repo/semantics/openAccessreponame:Repositório Institucional da UFPEinstname:Universidade Federal de Pernambuco (UFPE)instacron:UFPE2025-08-10T17:59:03Zoai:repositorio.ufpe.br:123456789/64858Repositório InstitucionalPUBhttps://repositorio.ufpe.br/oai/requestattena@ufpe.bropendoar:22212025-08-10T17:59:03Repositório Institucional da UFPE - Universidade Federal de Pernambuco (UFPE)false
dc.title.none.fl_str_mv Detecting unauthorized access to computer networks through graph transformers
title Detecting unauthorized access to computer networks through graph transformers
spellingShingle Detecting unauthorized access to computer networks through graph transformers
SOUSA, Luis Fred Gonçalves de
Cyber security
Advanced persistent threats
Graph neural networks
title_short Detecting unauthorized access to computer networks through graph transformers
title_full Detecting unauthorized access to computer networks through graph transformers
title_fullStr Detecting unauthorized access to computer networks through graph transformers
title_full_unstemmed Detecting unauthorized access to computer networks through graph transformers
title_sort Detecting unauthorized access to computer networks through graph transformers
author SOUSA, Luis Fred Gonçalves de
author_facet SOUSA, Luis Fred Gonçalves de
author_role author
dc.contributor.none.fl_str_mv ZANCHETTIN, Cleber
http://lattes.cnpq.br/2004244088757573
http://lattes.cnpq.br/1244195230407619
dc.contributor.author.fl_str_mv SOUSA, Luis Fred Gonçalves de
dc.subject.por.fl_str_mv Cyber security
Advanced persistent threats
Graph neural networks
topic Cyber security
Advanced persistent threats
Graph neural networks
description The proliferation of digital technologies, while enhancing productivity and access to new tools, has concurrently created opportunities for cybercriminals. This has led to a surge in digital abuses and cybercrimes, resulting in substantial losses for individuals, businesses, and governments. Advanced Persistent Threats (APTs) are central to many attacks, characterized by stealthy, gradual network infiltration to achieve objectives such as data theft and sabotage. Lateral movement, a decisive phase in APT campaigns, allows adversaries to consolidate their presence. Anomalous authentications serve as critical indicators of lateral movement, as they reveal intruder transitions between devices, often leveraging stolen credentials and exploiting vulnerabilities. Since computer network interactions form graph-structured data, graph-based algorithms, such as Graph Neural Networks (GNNs) and Graph Transformers (GTs), can be employed to detect anomalous interactions indicative of attacks within the computer net- works. However, the effectiveness of these methods hinges on the representational power and performance of the graph models. Efficient node embedding aggregation in GNNs is pivotal for representing graph topology; existing simple aggregation methods (sum, mean, max) are limited, while the computational complexity of sophisticated approaches, such as Transformer- based methods, poses challenges for large graphs, despite their improved ability to capture long-range dependencies. Furthermore, many existing approaches neglect the temporal aspect of network events, which are inherently time-dependent. This work explores GNNs and GTs for unauthorized access detection in computer networks in two distinct experiments. First, we propose a link prediction approach incorporating a soft-attention mechanism to filter irrele- vant node information during node representation aggregation. Second, we leverage recent advances in Transformer architectures for large graphs and propose a novel node classification approach for anomalous authentication detection that explicitly addresses the temporal depen- dencies between events at different granularities. The proposed models were trained on public datasets containing authentication logs from corporate networks. Experimental results showed that the proposed methods outperform state-of-the-art approaches in detecting anomalous authentications.
publishDate 2025
dc.date.none.fl_str_mv 2025-08-06T12:33:02Z
2025-08-06T12:33:02Z
2025-04-04
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/doctoralThesis
format doctoralThesis
status_str publishedVersion
dc.identifier.uri.fl_str_mv SOUSA, Luis Fred Gonçalves de. Detecting unauthorized access to computer networks through graph transformers. 2025. Tese (Doutorado em Ciências da Computação) – Universidade Federal de Pernambuco, Recife, 2025.
https://repositorio.ufpe.br/handle/123456789/64858
identifier_str_mv SOUSA, Luis Fred Gonçalves de. Detecting unauthorized access to computer networks through graph transformers. 2025. Tese (Doutorado em Ciências da Computação) – Universidade Federal de Pernambuco, Recife, 2025.
url https://repositorio.ufpe.br/handle/123456789/64858
dc.language.iso.fl_str_mv eng
language eng
dc.rights.driver.fl_str_mv https://creativecommons.org/licenses/by-nc-nd/4.0/
info:eu-repo/semantics/openAccess
rights_invalid_str_mv https://creativecommons.org/licenses/by-nc-nd/4.0/
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.publisher.none.fl_str_mv Universidade Federal de Pernambuco
UFPE
Brasil
Programa de Pos Graduacao em Ciencia da Computacao
publisher.none.fl_str_mv Universidade Federal de Pernambuco
UFPE
Brasil
Programa de Pos Graduacao em Ciencia da Computacao
dc.source.none.fl_str_mv reponame:Repositório Institucional da UFPE
instname:Universidade Federal de Pernambuco (UFPE)
instacron:UFPE
instname_str Universidade Federal de Pernambuco (UFPE)
instacron_str UFPE
institution UFPE
reponame_str Repositório Institucional da UFPE
collection Repositório Institucional da UFPE
repository.name.fl_str_mv Repositório Institucional da UFPE - Universidade Federal de Pernambuco (UFPE)
repository.mail.fl_str_mv attena@ufpe.br
_version_ 1856041980349382656

Registros relacionados