AUTOMATED DISCOVERY OF MALICIOUS WEBSITE CAMPAIGN INFRASTRUCTURE USING GRAPH NEURAL NETWORKS

Abstract

A graph neural network (GNN) based pipeline discovers direct and indirect relationships among domains from shared infrastructure and threat intelligence. The pipeline builds a knowledge graph starting with nodes representing a set of malicious domains and adds nodes representing related domains and network artifacts of the malicious domains. The pipeline extracts values of features of domains to enrich the nodes. The pipeline transforms the knowledge graph from heterogeneous nodes to homogenous nodes by transforming the qualitative relationships expressed at least partially with the network artifact nodes into quantitative relationships expressed with edges between domain nodes. The pipeline generates feature vectors for each of the nodes based on the domain features values and with these trains a GNN to learn an embedding. The pipeline then clusters the graph embeddings generated by the trained GNN model and detects malicious domain campaigns based on the clustering.

CPC Classifications