基于超图Transformer的APT攻击威胁狩猎网络模型

doi:10.11959/j.issn.1000-436x.2024043

通信学报 ›› 2024, Vol. 45 ›› Issue (2): 106-114.doi: 10.11959/j.issn.1000-436x.2024043

• 学术论文 • 上一篇

基于超图Transformer的APT攻击威胁狩猎网络模型

李元诚, 林玉坤

华北电力大学控制与计算机工程学院，北京 102206

修回日期:2023-11-29 出版日期:2024-02-01 发布日期:2024-02-01
作者简介:李元诚（1970− ），男，山东烟台人，华北电力大学教授、博士生导师，主要研究方向为密码学、信息安全等
林玉坤（1998− ），男，山东烟台人，华北电力大学硕士生，主要研究方向为电力系统网络安全等
基金资助:
国家电网有限公司科技基金资助项目(5700-202199539A-0-5-ZN)

APT attack threat-hunting network model based on hypergraph Transformer

Yuancheng LI, Yukun LIN

School of Control and Computer Engineering, North China Electric Power University, Beijing 102206, China

Revised:2023-11-29 Online:2024-02-01 Published:2024-02-01
Supported by:
Science and Technology Project of STATE GRID Corporation of China(5700-202199539A-0-5-ZN)

摘要/Abstract

摘要：

针对物联网环境中高级持续性威胁（APT）具有隐蔽性强、持续时间长、更新迭代快等特点，传统被动检测模型难以对其进行有效搜寻的问题，提出了一种基于超图Transformer的APT攻击威胁狩猎（HTTN）模型，能够在时间跨度长、信息隐蔽复杂的物联网系统中快速定位和发现APT攻击痕迹。该模型首先将输入的网络威胁情报（CTI）日志图和物联网系统内核审计日志图编码为超图，经超图神经网络（HGNN）层计算日志图的全局信息和节点特征；然后由Transformer编码器提取超边位置特征；最后对超边进行匹配计算相似度分数，从而实现物联网系统网络环境下APT攻击的威胁狩猎。在物联网仿真环境下的实验结果表明，提出的HTTN模型与目前主流的图匹配神经网络相比均方误差降低约20%，Spearman等级相关系数提升约0.8%，匹配精度提升约1.2%。

关键词: 高级持续性威胁, 威胁狩猎, 图匹配, 超图

Abstract:

To solve the problem that advanced persistent threat (APT) in the Internet of things (IoT) environment had the characteristics of strong concealment, long duration, and fast update iterations, it was difficult for traditional passive detection models to quickly search, a hypergraph Transformer threat-hunting network (HTTN) was proposed.The HTTN model had the function of quickly locating and discovering APT attack traces in IoT systems with long time spans and complicated information concealment.The input cyber threat intelligence (CTI) log graph and IoT system kernel audit log graph were encoded into hypergraphs by the model, and the global information and node features of the log graph were calculated through the hypergraph neural network (HGNN) layer, and then they were extracted for hyperedge position features by the Transformer encoder, and finally the similarity score was calculated by the hyperedge, thus the threat-hunting of APT was realized in the network environment of the Internet of things system.It is shown by the experimental results in the simulation environment of the Internet of things that the mean square error is reduced by about 20% compared to mainstream graph matching neural networks, the Spearman level correlation coefficient is improved by about 0.8%, and improved precision@10 is improved by about 1.2% by the proposed HTTN model.

Key words: advanced persistent threat, threat-hunting, graph matching, hypergraph

中图分类号:

TN92

李元诚, 林玉坤. 基于超图Transformer的APT攻击威胁狩猎网络模型[J]. 通信学报, 2024, 45(2): 106-114.

Yuancheng LI, Yukun LIN. APT attack threat-hunting network model based on hypergraph Transformer[J]. Journal on Communications, 2024, 45(2): 106-114.

图/表 12

图1

图2

图3

图4

图5

图6

表1

表2

图7

图8

图9

图10

参考文献 19

[1]	徐震, 周晓军, 王利明 ,等. PLC攻防关键技术研究进展[J]. 信息安全学报, 2019,4(3): 48-69.
	XU Z , ZHOU X J , WANG L M ,et al. Recent advances in PLC attack and protection technology[J]. Journal of Cyber Security, 2019,4(3): 48-69.
[2]	卢英佳 . 我国电力信息系统面临的网络安全风险及处置建议[J]. 中国信息安全, 2019(11): 97-99.
	LU Y J . Network security risks faced by China’s electric power information system and its disposal suggestions[J]. China Information Security, 2019(11): 97-99.
[3]	PANAHNEJAD M , MIRABI M . APT-Dt-KC:advanced persistent threat detection based on kill-chain model[J]. The Journal of Supercomputing, 2022,78(6): 8644-8677.
[4]	ABDEL-BASSET M , HAWASH H , SALLAM K . Federated threat-hunting approach for microservice-based industrial cyber-physical system[J]. IEEE Transactions on Industrial Informatics, 2022,18(3): 1905-1917.
[5]	ALSAHEEL A , NAN Y , MA S ,et al. A sequence-based learning approach for attack investigation[C]// Proceedings of 30th USENIX Security Symposium. Berkeley:USENIX Association, 2021: 3005-3022.
[6]	YE Z W , GUO Y B , JU A K . Zero-day vulnerability risk assessment and attack path analysis using security metric[C]// Proceedings of International Conference on Artificial Intelligence and Security. Berlin:Springer, 2019: 266-278.
[7]	徐嘉涔, 王轶骏, 薛质 . 网络空间威胁狩猎的研究综述[J]. 通信技术, 2020,53(1): 1-8.
	XU J C , WANG Y J , XUE Z . Research on threat hunting in cyberspace[J]. Communications Technology, 2020,53(1): 1-8.
[8]	李铁根, 郎颂, 赵日红 . 面向工业物联网的终端安全新思考与展望[J]. 工业信息安全, 2022(5): 86-93.
	LI T G , LANG S , ZHAO R H ,et al. new thoughts and prospects on terminal security for industrial Internet of things[J]. Industrial Information Security, 2022(5): 86-93.
[9]	Mandiant. Exposing one of China’s cyber espionage units[R]. 2016.
[10]	BARNUM S . Standardizing cyber threat intelligence information with the structured threat information expression[J]. Mitre Corporation, 2012,11: 1-22.
[11]	ZHOU D Y , HUANG J Y , SCH?LKOPF B . Learning with hypergraphs:clustering,classification,and embedding[C]// Proceedings of the 19th International Conference on Neural Information Processing Systems. New York:ACM Press, 2006: 1601-1608.
[12]	FENG Y F , YOU H X , ZHANG Z Z ,et al. Hypergraph neural networks[J]. Proceedings of the AAAI Conference on Artificial Intelligence, 2019,33(1): 3558-3565.
[13]	YADATI N , NIMISHAKAVI M , YADAV P ,et al. HyperGCN:a new method of training graph convolutional networks on hypergraphs[J]. arXiv Preprint,arXiv:1809.02589, 2018.
[14]	KIPF T N , WELLING M . Semi-supervised classification with graph convolutional networks[J]. arXiv Preprint,arXiv:1609.02907, 2016.
[15]	MILAJERDI S M , GJOMEMO R , ESHETE B ,et al. HOLMES:real-time APT detection through correlation of suspicious information flows[C]// Proceedings of the 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 1137-1152.
[16]	BAI Y S , DING H , BIAN S ,et al. SimGNN:a neural network approach to fast graph similarity computation[C]// Proceedings of the Proceedings of the Twelfth ACM International Conference on Web Search and Data Mining. New York:ACM Press, 2019: 384-392.
[17]	BAI Y S , DING H , GU K ,et al. Learning-based efficient graph similarity computation via multi-scale convolutional set matching[J]. Proceedings of the AAAI Conference on Artificial Intelligence, 2020,34(4): 3219-3226.
[18]	ZHANG Z , BU J J , ESTER M ,et al. H2MN:graph similarity learning with hierarchical hypergraph matching networks[C]// Proceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery ＆ Data Mining. New York:ACM Press, 2021: 2274-2284.
[19]	LING X , WU L F , WANG S Z ,et al. Multilevel graph matching networks for deep graph similarity learning[J]. arXiv Preprint,arXiv:2007.04395, 2020.

超参数名称	超参数数值
批大小	256
学习率	1×10^-3
权重衰减	5×10^-4
层数	5
维度	100
随机步长	5
随机失活	0.1
多头数量	5
训练轮数	1 000

模型	MSE	ρ	p@10
SimGNN	0.980 3×10^-3	0.926 1	0.856 6
GraphSim	0.443 2×10^-3	0.965 2	0.9392
HGMN	0.339 2×10^-3	0.980 2	0.940 2
H2MN	0.219 3×10^-3	0.975 2	0.943 1
本文模型	0.173 3×10^-3	0.987 8	0.954 9

基于超图Transformer的APT攻击威胁狩猎网络模型

APT attack threat-hunting network model based on hypergraph Transformer

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 12

参考文献 19

相关文章 5

Metrics

推荐阅读 0

[1]	冷涛, 蔡利君, 于爱民, 朱子元, 马建刚, 李超飞, 牛瑞丞, 孟丹. 基于系统溯源图的威胁发现与取证分析综述[J]. 通信学报, 2022, 43(7): 172-188.
[2]	刁嘉文, 方滨兴, 崔翔, 王忠儒, 甘蕊灵, 冯林, 姜海. DNS隐蔽信道综述[J]. 通信学报, 2021, 42(5): 164-178.
[3]	丁绍虎,齐宁,郭义伟. 基于M-FlipIt博弈模型的拟态防御策略评估[J]. 通信学报, 2020, 41(7): 186-194.
[4]	李丹,兰巨龙,王鹏,胡宇翔. 基于最优加权图匹配的服务功能链部署方法[J]. 通信学报, 2019, 40(3): 10-18.
[5]	付钰，李洪成，吴晓平，王甲生. 基于大数据分析的APT攻击检测研究综述[J]. 通信学报, 2015, 36(11): 1-14.