基于超图Transformer的APT攻击威胁狩猎网络模型

doi:10.11959/j.issn.1000-436x.2024043

Abstract

Abstract:

To solve the problem that advanced persistent threat (APT) in the Internet of things (IoT) environment had the characteristics of strong concealment, long duration, and fast update iterations, it was difficult for traditional passive detection models to quickly search, a hypergraph Transformer threat-hunting network (HTTN) was proposed.The HTTN model had the function of quickly locating and discovering APT attack traces in IoT systems with long time spans and complicated information concealment.The input cyber threat intelligence (CTI) log graph and IoT system kernel audit log graph were encoded into hypergraphs by the model, and the global information and node features of the log graph were calculated through the hypergraph neural network (HGNN) layer, and then they were extracted for hyperedge position features by the Transformer encoder, and finally the similarity score was calculated by the hyperedge, thus the threat-hunting of APT was realized in the network environment of the Internet of things system.It is shown by the experimental results in the simulation environment of the Internet of things that the mean square error is reduced by about 20% compared to mainstream graph matching neural networks, the Spearman level correlation coefficient is improved by about 0.8%, and improved precision@10 is improved by about 1.2% by the proposed HTTN model.

Key words: advanced persistent threat, threat-hunting, graph matching, hypergraph

CLC Number:

TN92

Yuancheng LI, Yukun LIN. APT attack threat-hunting network model based on hypergraph Transformer[J]. Journal on Communications, 2024, 45(2): 106-114.

Figures/Tables 12

References 19

[1]	徐震, 周晓军, 王利明 ,等. PLC攻防关键技术研究进展[J]. 信息安全学报, 2019,4(3): 48-69.
	XU Z , ZHOU X J , WANG L M ,et al. Recent advances in PLC attack and protection technology[J]. Journal of Cyber Security, 2019,4(3): 48-69.
[2]	卢英佳 . 我国电力信息系统面临的网络安全风险及处置建议[J]. 中国信息安全, 2019(11): 97-99.
	LU Y J . Network security risks faced by China’s electric power information system and its disposal suggestions[J]. China Information Security, 2019(11): 97-99.
[3]	PANAHNEJAD M , MIRABI M . APT-Dt-KC:advanced persistent threat detection based on kill-chain model[J]. The Journal of Supercomputing, 2022,78(6): 8644-8677.
[4]	ABDEL-BASSET M , HAWASH H , SALLAM K . Federated threat-hunting approach for microservice-based industrial cyber-physical system[J]. IEEE Transactions on Industrial Informatics, 2022,18(3): 1905-1917.
[5]	ALSAHEEL A , NAN Y , MA S ,et al. A sequence-based learning approach for attack investigation[C]// Proceedings of 30th USENIX Security Symposium. Berkeley:USENIX Association, 2021: 3005-3022.
[6]	YE Z W , GUO Y B , JU A K . Zero-day vulnerability risk assessment and attack path analysis using security metric[C]// Proceedings of International Conference on Artificial Intelligence and Security. Berlin:Springer, 2019: 266-278.
[7]	徐嘉涔, 王轶骏, 薛质 . 网络空间威胁狩猎的研究综述[J]. 通信技术, 2020,53(1): 1-8.
	XU J C , WANG Y J , XUE Z . Research on threat hunting in cyberspace[J]. Communications Technology, 2020,53(1): 1-8.
[8]	李铁根, 郎颂, 赵日红 . 面向工业物联网的终端安全新思考与展望[J]. 工业信息安全, 2022(5): 86-93.
	LI T G , LANG S , ZHAO R H ,et al. new thoughts and prospects on terminal security for industrial Internet of things[J]. Industrial Information Security, 2022(5): 86-93.
[9]	Mandiant. Exposing one of China’s cyber espionage units[R]. 2016.
[10]	BARNUM S . Standardizing cyber threat intelligence information with the structured threat information expression[J]. Mitre Corporation, 2012,11: 1-22.
[11]	ZHOU D Y , HUANG J Y , SCH?LKOPF B . Learning with hypergraphs:clustering,classification,and embedding[C]// Proceedings of the 19th International Conference on Neural Information Processing Systems. New York:ACM Press, 2006: 1601-1608.
[12]	FENG Y F , YOU H X , ZHANG Z Z ,et al. Hypergraph neural networks[J]. Proceedings of the AAAI Conference on Artificial Intelligence, 2019,33(1): 3558-3565.
[13]	YADATI N , NIMISHAKAVI M , YADAV P ,et al. HyperGCN:a new method of training graph convolutional networks on hypergraphs[J]. arXiv Preprint,arXiv:1809.02589, 2018.
[14]	KIPF T N , WELLING M . Semi-supervised classification with graph convolutional networks[J]. arXiv Preprint,arXiv:1609.02907, 2016.
[15]	MILAJERDI S M , GJOMEMO R , ESHETE B ,et al. HOLMES:real-time APT detection through correlation of suspicious information flows[C]// Proceedings of the 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 1137-1152.
[16]	BAI Y S , DING H , BIAN S ,et al. SimGNN:a neural network approach to fast graph similarity computation[C]// Proceedings of the Proceedings of the Twelfth ACM International Conference on Web Search and Data Mining. New York:ACM Press, 2019: 384-392.
[17]	BAI Y S , DING H , GU K ,et al. Learning-based efficient graph similarity computation via multi-scale convolutional set matching[J]. Proceedings of the AAAI Conference on Artificial Intelligence, 2020,34(4): 3219-3226.
[18]	ZHANG Z , BU J J , ESTER M ,et al. H2MN:graph similarity learning with hierarchical hypergraph matching networks[C]// Proceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery ＆ Data Mining. New York:ACM Press, 2021: 2274-2284.
[19]	LING X , WU L F , WANG S Z ,et al. Multilevel graph matching networks for deep graph similarity learning[J]. arXiv Preprint,arXiv:2007.04395, 2020.

Metrics

Recommended 0

No Suggested Reading articles found!

超参数名称	超参数数值
批大小	256
学习率	1×10^-3
权重衰减	5×10^-4
层数	5
维度	100
随机步长	5
随机失活	0.1
多头数量	5
训练轮数	1 000

模型	MSE	ρ	p@10
SimGNN	0.980 3×10^-3	0.926 1	0.856 6
GraphSim	0.443 2×10^-3	0.965 2	0.9392
HGMN	0.339 2×10^-3	0.980 2	0.940 2
H2MN	0.219 3×10^-3	0.975 2	0.943 1
本文模型	0.173 3×10^-3	0.987 8	0.954 9

APT attack threat-hunting network model based on hypergraph Transformer

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 12

References 19

Related Articles 5

Metrics

Recommended 0

[1]	Tao LENG, Lijun CAI, Aimin YU, Ziyuan ZHU, Jian’gang MA, Chaofei LI, Ruicheng NIU, Dan MENG. Review of threat discovery and forensic analysis based on system provenance graph [J]. Journal on Communications, 2022, 43(7): 172-188.
[2]	Xiuzhang YANG, Guojun PENG, Zichuan LI, Yangqi LYU, Side LIU, Chenguang LI. Research on entity recognition and alignment of APT attack based on Bert and BiLSTM-CRF [J]. Journal on Communications, 2022, 43(6): 58-70.
[3]	Shaohu DING,Ning QI,Yiwei GUO. Evaluation of mimic defense strategy based on M-FlipIt game model [J]. Journal on Communications, 2020, 41(7): 186-194.
[4]	Dan LI,Julong LAN,Peng WANG,Yuxiang HU. Service function chain deployment algorithm based on optimal weighted graph matching [J]. Journal on Communications, 2019, 40(3): 10-18.
[5]	. Detecting APT attacks: a survey from the perspective of big data analysis [J]. Journal on Communications, 2015, 36(11): 1-14.