A Phased Graph Convolutional Network Framework for Multi-Step Attack Detection: Event-Log Correlation and Heterogeneous Dataset Evaluation

Multi-Step Attack Detection (MSAD) continues to pose a significant issue in cybersecurity owing to the intricacy of attack sequences and the diversity of log sources. This study presents a modular and extendable detection pipeline utilising Graph Convolutional Networks (GCNs) that facilitates multi-phase attack categorisation and integrated log parsing. We initially replicate a contemporary model for Advanced Persistent Threat (APT) detection utilising the CTU-13 dataset, attaining an F1-score of 100\%, hence verifying the baseline. We expand the architecture through four phases: accurately detecting Distributed Denial-of-Service (DDoS) attacks with a custom logset at 100\% accuracy; generalising to botnet detection on CTU-13—enhancing previous results (F1: 95.4\%) to achieve 100\% accuracy and F1-score; and creating a modular parser adept at processing various log types, including Sysmon, Event Logs, Firewall Logs, Performance Logs, and Registry Dumps. In Phase 3, the model attains 99.99\% accuracy and F1-score in botnet detection. We further improved these methods to improve distinctiveness and illustrate the development of attacks. The concluding benchmark phase attains 99.88\% accuracy and 99.89\% F1-score, validating generalisability over diverse logs. Our phased detection pipeline provides versatility across datasets and formats (addressing heterogeneity), promoting scalable MSAD with elevated precision and recall, while ensuring repeatability for practical implementation.