Using Graph Machine Learning To Detect Complex Attacks

Modern cyberattack campaigns target a company’s digital assets and have strong economic incentives. Imagine one day a DevOps developer machine is compromised. Does it just happen to be involved in an attack not targeted to the company? Or is it something aimed at the company’s critical digital assets and thus 1000x more dangerous? The distinction between the two is vitally important. Fundamentally, in order to better understand the risk of an attack today, we need to understand the context of the attack across many of its steps so that we have a better idea of the target and how risky it is to the company. This requires correlation analysis among multiple entities (users, assets, file, process, etc.) and their relationships in the attack linked by the alerts. This is essentially a graph analysis problem. We need machine learning algorithms which can analyze graphs to help.

Graph ML is a subdomain of machine learning, which has rapidly evolved in recent years. Graph ML learns the graph’s topological influence with different techniques, such as graph embedding, graph neural network, etc. With Graph ML, we can learn the important steps of a ransomware attack and come up with the holistic picture of the attack from initial penetration and internal exploration to lateral movement and to the important digital assets.


  • Albert Zhichun Li, VP of Engineering at Stellar Cyber