Integrating Graph Neural Networks and Dynamic Community Characterization for Advanced Persistent Threat Detection and Attack Provenance Reconstruction

Addressing the challenges of detection and attribution posed by the concealment and dynamic evolutionary traits of Advanced Persistent Threats (APTs), this paper proposes an intelligent detection and attribution method integrating Graph Neural Networks (GNNs) with dynamic community features. Initially, multi-source datasets undergo cleansing, feature extraction, and the construction of temporal graph sequences. Dynamic attack communities are modeled using a Temporal Attention Graph Neural Network (TA-GNN) to capture abrupt structural shifts within communities across various attack stages. A tri-dimensional feature framework encompassing “community behavior-traffic statistics-GNN embeddings” is established, enhanced by semi-supervised contrastive learning to bolster the identification capability for unknown attacks. Finally, an improved Temporal-aware Taint Propagation Algorithm (TTPA) is employed for attack chain reconstruction. Experimental results demonstrate that the proposed method achieves an F1-score approximately 15% higher than traditional approaches, an attack path identification accuracy of 92%, and an average attribution time of 4.2 seconds, thereby providing robust support for APT defense.