基于样本特征强化的APT攻击多阶段检测方法

doi:10.11959/j.issn.1000-436x.2022238

通信学报 ›› 2022, Vol. 43 ›› Issue (12): 66-76.doi: 10.11959/j.issn.1000-436x.2022238

基于样本特征强化的APT攻击多阶段检测方法

谢丽霞¹, 李雪鸥¹, 杨宏宇¹^,², 张良¹, 成翔⁴^,⁵

¹ 中国民航大学计算机科学与技术学院，天津 300300
² 中国民航大学安全科学与工程学院，天津 300300
³ 亚利桑那大学信息学院，美国图森 AZ85721
⁴ 扬州大学信息工程学院，江苏扬州 225127
⁵ 江苏省知识管理与智能服务工程研究中心，江苏扬州 225127

修回日期:2022-11-01 出版日期:2022-12-25 发布日期:2022-12-01
作者简介:谢丽霞（1974- ），女，重庆人，博士，中国民航大学教授，主要研究方向为网络信息安全
李雪鸥（1998- ），女，安徽合肥人，中国民航大学硕士生，主要研究方向为网络信息安全
杨宏宇（1969- ），男，吉林长春人，博士，中国民航大学教授，主要研究方向为网络信息安全
张良（1987- ），男，天津人，博士，美国亚利桑那大学研究员，主要研究方向为强化学习和基于深度学习的信号处理
成翔（1988- ），男，新疆乌鲁木齐人，博士，扬州大学实验师，主要研究方向为网络与系统安全、网络安全态势感知、APT攻击检测
基金资助:
国家自然科学基金资助项目(U1833107)

Multi-stage detection method for APT attack based on sample feature reinforcement

Lixia XIE¹, Xueou LI¹, Hongyu YANG¹^,², Liang ZHANG¹, Xiang CHENG⁴^,⁵

¹ School of Computer Science and Technology, Civil Aviation University of China, Tianjin 300300, China
² School of Safety Science and Engineering, Civil Aviation University of China, Tianjin 300300, China
³ School of Information, University of Arizona, Tucson AZ85721, USA
⁴ School of Information Engineering, Yangzhou University, Yangzhou 225127, China
⁵ Jiangsu Engineering Research Center for Knowledge Management and Intelligent Service, Yangzhou 225127, China

Revised:2022-11-01 Online:2022-12-25 Published:2022-12-01
Supported by:
The National Natural Science Foundation of China(U1833107)

摘要/Abstract

摘要：

针对高级持续性威胁（APT）攻击检测方法普遍缺乏对APT攻击多阶段流量特征多样性的感知，对持续时间较长的APT攻击序列检测效果不佳且难以检测处于不同攻击阶段的多类潜在APT攻击等不足，提出一种基于样本特征强化的APT攻击多阶段检测方法。首先，根据APT攻击特点，将恶意流量划分至不同攻击阶段并构建APT攻击标识序列。其次，通过序列生成对抗网络模拟生成APT攻击多个阶段的标识序列，增加不同阶段序列样本数量实现样本特征强化并提高多阶段样本特征的多样性。最后，提出一种多阶段检测网络模型，基于多阶段感知注意力机制对提取的多阶段流量特征与标识序列进行注意力计算，得到阶段特征向量，并作为辅助信息与标识序列进行拼接操作，增强检测模型对不同阶段感知能力并提高检测精度。实验结果表明，所提方法在2个基准数据集上均有良好的检测效果，对多类潜在APT攻击的检测效果优于其他模型。

关键词: APT攻击检测, 多阶段流量特征, 样本特征强化, 多阶段感知注意力

Abstract:

Given the problems that the current APT attack detection methods were difficult to perceive the diversity of stage flow features and generally hard to detect the long duration APT attack sequences and potential APT attacks with different attack stages, a multi-stage detection method for APT attack based on sample feature reinforcement was proposed.Firstly, the malicious flow was divided into different attack stages and the APT attack identification sequences were constructed by analyzing the characteristics of the APT attack.In addition, sequence generative adversarial network was used to simulate the generation of identification sequences in the multi-stage of APT attacks.Sample feature reinforcement was achieved by increasing the number of sequence samples in different stages, which improved the diversity of multi-stage sample features.Finally, a multi-stage detection network was proposed.Based on the multi-stage perceptual attention mechanism, the extracted multi-stage flow features and identification sequences were calculated by attention to obtain the stage feature vectors.The feature vectors were used as auxiliary information to splice with the identification sequences.The detection model’s perception ability in different stages was enhanced and the detection accuracy was improved.The experimental results show that the proposed method has remarkable detection effects on two benchmark datasets and has better effects on multi-class potential APT attacks than other models.

Key words: APT attack detection, multi-stage flow feature, sample feature reinforcement, multi-stage perceptual attention

中图分类号:

TP393

谢丽霞, 李雪鸥, 杨宏宇, 张良, 成翔. 基于样本特征强化的APT攻击多阶段检测方法[J]. 通信学报, 2022, 43(12): 66-76.

Lixia XIE, Xueou LI, Hongyu YANG, Liang ZHANG, Xiang CHENG. Multi-stage detection method for APT attack based on sample feature reinforcement[J]. Journal on Communications, 2022, 43(12): 66-76.

图/表 16

表1

图1

表2

表3

表4

图2

图3

图4

图5

图6

表6

不同模型对APT攻击的检测结果"

模型	准确率	F1分数
SAE-LSTM	70.52%	66.60%
CNN-LSTM	98.20%	98.58%
GAN-LSTM	97.41%	96.52%
GAN	87.54%	86.60%
DPCNN	97.15%	96.38%
Setconv	98.60%	97.89%
TextRCNN	93.47%	94.76%
MSDN	$98 . 66 %$	$98 . 66 %$

表6

表7

CICIDS2017数据集多阶段F1分数检测结果"

模型	APT₁	APT₂	APT₃	APT₄	APT₅	NAPT
GAN-LSTM	97.83%	96.64%	97.41%	96.52%	95.66%	84.70%
DPCNN	98.79%	97.54%	97.15%	96.38%	95.70%	85.12%
TextRCNN	96.96%	92.26%	93.47%	94.76%	$97 . 27 %$	$93 . 26 %$
MSDN	$99 . 47 %$	$98 . 39 %$	$97 . 86 %$	$96 . 93 %$	95.84%	86.46%

表7

表8

DAPT2020数据集多阶段F1分数检测结果"

模型	APT₁	APT₂	APT₃	APT₄	APT₅	NAPT
GAN-LSTM	96.77%	96.73%	95.64%	93.82%	93.61%	82.86%
DPCNN	98.86%	98.03%	95.49%	93.02%	$95 . 07 %$	89.48%
TextRCNN	97.24%	96.53%	99.17%	96.08%	95.00%	$93 . 44 %$
MSDN	$99 . 68 %$	$99 . 54 %$	$99 . 20 %$	$97 . 35 %$	95.03%	90.68%

表8

图7

图8

图9

参考文献 20

[1]	ZHANG J , PAN L , HAN Q L ,et al. Deep learning based attack detection for cyber-physical system cybersecurity:a survey[J]. IEEE/CAA Journal of Automatica Sinica, 2022,9(3): 377-391.
[2]	AHMAD A , WEBB J , DESOUZA K C ,et al. Strategically-motivated advanced persistent threat:definition,process,tactics and a disinformation model of counterattack[J]. Computers ＆ Security, 2019,86: 402-418.
[3]	杨秀璋, 彭国军, 李子川 ,等. 基于 Bert 和 BiLSTM-CRF 的 APT攻击实体识别及对齐研究[J]. 通信学报, 2022,43(6): 58-70.
	YANG X Z , PENG G J , LI Z C ,et al. Research on entity recognition and alignment of APT attack based on Bert and BiLSTM-CRF[J]. Journal on Communications, 2022,43(6): 58-70.
[4]	MILAJERDI S M , GJOMEMO R , ESHETE B ,et al. HOLMES:real-time APT detection through correlation of suspicious information flows[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 1137-1152.
[5]	NIU W N , ZHANG X S , YANG G W ,et al. Modeling attack process of advanced persistent threat using network evolution[J]. IEICE Transactions on Information and Systems, 2017,100(10): 2275-2286.
[6]	LIN G J , WEN S , HAN Q L ,et al. Software vulnerability detection using deep neural networks:a survey[J]. Proceedings of the IEEE, 2020,108(10): 1825-1848.
[7]	YANG H Y , ZHANG Z X , XIE L X ,et al. Network security situation assessment with network attack behavior classification[J]. International Journal of Intelligent Systems, 2022,37(10): 6909-6927.
[8]	ALREHAILI M , ALSHAMRANI A , ESHMAWI A . A hybrid deep learning approach for advanced persistent threat attack detection[C]// Proceedings of the 5th International Conference on Future Networks ＆ Distributed Systems. New York:ACM Press, 2021: 78-86.
[9]	刘海波, 武天博, 沈晶 ,等. 基于GAN-LSTM的APT攻击检测[J]. 计算机科学, 2020,47(1): 281-286.
	LIU H B , WU T B , SHEN J ,et al. Advanced persistent threat detection based on generative adversarial networks and long short-term memory[J]. Computer Science, 2020,47(1): 281-286.
[10]	董济源 . 基于GAN的APT攻击序列的生成与检测方法研究[D]. 哈尔滨:哈尔滨工程大学, 2020.
	DONG J Y . Research on generation and detection of APT attack sequence based on GAN[D]. Harbin:Harbin Engineering University, 2020.
[11]	JOHNSON R , ZHANG T . Deep pyramid convolutional neural networks for text categorization[C]// Proceedings of the 55th Annual Meeting of the Association for Computational Linguistics. Stroudsburg:Association for Computational Linguistics, 2017: 562-570.
[12]	AKBAR K A , WANG Y G , ISLAM M S ,et al. Identifying tactics of advanced persistent threats with limited attack traces[C]// Information Systems Security. Berlin:Springer, 2021: 3-25.
[13]	LAI S W , XU L H , LIU K ,et al. Recurrent convolutional neural networks for text classification[C]// Proceedings of the Twenty-ninth AAAI Conference on Artificial Intelligence. Palo Alto:AAAI Press, 2015: 2267-2273.
[14]	ALSHAMRANI A , MYNENI S , CHOWDHARY A ,et al. A survey on advanced persistent threats:techniques,solutions,challenges,and research opportunities[J]. IEEE Communications Surveys ＆ Tutorials, 2019,21(2): 1851-1877.
[15]	QUINTERO-BONILLA S , MARTíN D R A . A new proposal on the advanced persistent threat:a survey[J]. Applied Sciences, 2020,10(11): 3874-3896.
[16]	SHANG L K . Discovering unknown advanced persistent threat using shared features mined by neural networks[J]. Computer Networks, 2021,189:107937.
[17]	YU L T , ZHANG W N , WANG J ,et al. SeqGAN:sequence generative adversarial nets with policy gradient[C]// Proceedings of the AAAI Conference on Artificial Intelligence. Palo Alto:AAAI Press, 2017: 1-7.
[18]	VASWANI A , SHAZEER N , PARMAR N ,et al. Attention is all you need[J]. Advances in neural information processing systems, 2017,30(1): 5998-6008.
[19]	SHARAFALDIN I , HABIBI L A , GHORBANI A A . Toward generating a new intrusion detection dataset and intrusion traffic characterization[C]// Proceedings of the 4th International Conference on Information Systems Security and Privacy. Southampton:Science and Technology Publications, 2018: 108-116.
[20]	MYNENI S , CHOWDHARY A , SABUR A ,et al. DAPT 2020 - constructing a benchmark dataset for advanced persistent threats[C]// Deployable Machine Learning for Security Defense. Berlin:Springer, 2020: 138-163.

APT攻击阶段	发送流量数据包数量/个	接收流量数据包数量/个	目标端口号	传输时间/s	发送流量数据量/个
侦察	306	509	9000	268 855	21 189
	106	104	80	450 907	10 327
	288	514	9000	357 079	17 044
建立立足点	17	17	9003	44 446	1 536
	15	15	9003	44 103	1 310
	37	37	9003	110 140	3 706
横向移动	10	12	4444	78 313 266	429
	20	18	9002	10 524 518	2 222
	4	6	9000	8 148 840	441
窃取信息或破坏系统	1	1	40310	3 494	0
	1	1	46400	3 692	0
	1	1	47274	3 546	0
继续攻击或清除攻击痕迹	1	1	59430	3 602	0
	1	1	59622	3 377	0
	1	1	40310	3 494	0

APT₅攻击阶段	发送流量数据包数量/个	目标端口号	传输时间/s	发送流量数据量/个
侦察	106	80	450 907	10 327
建立立足点	17	9003	44 446	1 536
横向移动	10	4444	78 313 266	429
窃取信息或破坏系统	1	40310	3 494	0
继续攻击或清除攻击痕迹	1	59622	3 377	0

基于样本特征强化的APT攻击多阶段检测方法

Multi-stage detection method for APT attack based on sample feature reinforcement

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 16

参考文献 20

相关文章 15

Metrics

推荐阅读 0

APT攻击阶段及正常流量	原始流量特征维度/维	数据清洗后流量特征维度/维	特征选择后流量特征维度/维
侦察	84	63	23
建立立足点	84	52	15
横向移动	84	66	18
窃取信息或破坏系统	84	29	11
继续攻击或清除攻击痕迹	84	29	11
正常流量	84	71	22

APT攻击序列类型	APT攻击序列
APT₁	[[49192, 443, 6, …, 0, 0],[46190, 9000, 268855, …, 269, 0],[68, 67, 17, 1…, -1, 0]]
APT₂	[[443, 50064, 6, …, 0, 0],[57296, 80, 450907, …, 57, 0],…,[58822, 53, 17, …, -1, 0]]
APT₃	[[45988, 9000, 357079, …, 269, 0],[443, 58188, 6, …, 0, 0],…,[48067, 53, 17, …, -1, 0]]
APT₄	[[46190, 9000, 268855, …, 269, 0],[54036, 9003, 44103, ＆, 0, 0],…,[60709, 53, 17, …, -1, 0]]
APT₅	[[57296, 80, 450907, …, 57, 0],[443, 39654, 6, …, 0, 0],…,[28643, 59622, 3377, …, 1, 1452]]

[1]	李竟博, 马礼, 李阳, 傅颖勋, 马东超. 感传算协同工业互联网优化设计[J]. 通信学报, 2023, 44(6): 12-22.
[2]	赵仕祺, 黄小红, 钟志港. 基于信誉的域间路由选择机制的研究与实现[J]. 通信学报, 2023, 44(6): 47-56.
[3]	陈真, 陈文辉, 刘啸威, 尤殿龙, 刘林林, 申利民. 功能互补关系增强的云API推荐方法[J]. 通信学报, 2023, 44(6): 125-137.
[4]	魏德宾, 潘成胜, 杨力, 颜佐任. 基于网络流量水平等级预测的自适应随机早期检测算法[J]. 通信学报, 2023, 44(6): 154-166.
[5]	李元诚, 秦永泰. 基于深度强化学习的软件定义安全中台QoS实时优化算法[J]. 通信学报, 2023, 44(5): 181-192.
[6]	夏莹杰, 朱思雨, 刘雪娇. 区块链架构下具有条件隐私的车辆编队跨信任域高效群组认证研究[J]. 通信学报, 2023, 44(4): 111-123.
[7]	谢人超, 文雯, 唐琴琴, 刘云龙, 谢高畅, 黄韬. 轨道交通移动边缘计算网络安全综述[J]. 通信学报, 2023, 44(4): 201-215.
[8]	罗智勇, 张玉, 王青, 宋伟伟. 基于贝叶斯攻击图的SDN入侵意图识别算法的研究[J]. 通信学报, 2023, 44(4): 216-225.
[9]	王一丰, 郭渊博, 陈庆礼, 方晨, 林韧昊, 周永良, 马佳利. 基于对比增量学习的细粒度恶意流量分类方法[J]. 通信学报, 2023, 44(3): 1-11.
[10]	张进, 葛强, 徐伟海, 江逸茗, 马海龙, 于洪涛. 拟态路由器BGP代理的设计实现与形式化验证[J]. 通信学报, 2023, 44(3): 33-44.
[11]	经普杰, 王良民, 董学文, 张玉书, 王骞, Muhammad Sohail. 分层跨链结构：一种面向区块链系统监管的可行架构[J]. 通信学报, 2023, 44(3): 93-104.
[12]	舒坚, 史佳伟, 刘琳岚, Manar Al-Kali. 基于时空卷积的机会网络拓扑预测[J]. 通信学报, 2023, 44(3): 145-156.
[13]	王东滨, 吴东哲, 智慧, 郭昆, 张勖, 时金桥, 张宇, 陆月明. 软件定义网络抗拒绝服务攻击的流表溢出防护[J]. 通信学报, 2023, 44(2): 1-11.
[14]	康海燕, 龙墨澜. 基于吸收马尔可夫链攻击图的网络攻击分析方法研究[J]. 通信学报, 2023, 44(2): 122-135.
[15]	张云涛, 方滨兴, 杜春来, 王忠儒, 崔志坚, 宋首友. 基于异构观测链的容器逃逸检测方法[J]. 通信学报, 2023, 44(1): 49-63.