LAUSR

Proactively hunting known attack behaviors within system logs, termed threat hunting, is gaining traction in cybersecurity. Existing methods typically rely on constructing a query graph representing known attack patterns and identifying it as a subgraph within a system-wide provenance graph. However, the large scale and redundancy of provenance data lead to poor matching efficiency and high false-positive rates. To address these issues, this paper introduces SGMNet, a supervised seeded graph-matching network designed for efficient and accurate threat hunting. By selecting indicators of compromise (IOCs) as initial seed nodes, SGMNet extracts compact subgraphs from large-scale provenance graphs, significantly reducing graph size and complexity. It then learns adaptive node-expansion strategies to capture relevant context while suppressing irrelevant noise. Experiments on four real-world system log datasets demonstrate that SGMNet achieves a runtime reduction of over 60% compared to baseline methods, while reducing false positives by 35.2% on average. These results validate that SGMNet not only improves computational efficiency but also enhances detection precision, making it well suited for real-time threat hunting in large-scale environments.