基于样本特征强化的APT攻击多阶段检测方法

doi:10.11959/j.issn.1000-436x.2022238

Abstract

Abstract:

Given the problems that the current APT attack detection methods were difficult to perceive the diversity of stage flow features and generally hard to detect the long duration APT attack sequences and potential APT attacks with different attack stages, a multi-stage detection method for APT attack based on sample feature reinforcement was proposed.Firstly, the malicious flow was divided into different attack stages and the APT attack identification sequences were constructed by analyzing the characteristics of the APT attack.In addition, sequence generative adversarial network was used to simulate the generation of identification sequences in the multi-stage of APT attacks.Sample feature reinforcement was achieved by increasing the number of sequence samples in different stages, which improved the diversity of multi-stage sample features.Finally, a multi-stage detection network was proposed.Based on the multi-stage perceptual attention mechanism, the extracted multi-stage flow features and identification sequences were calculated by attention to obtain the stage feature vectors.The feature vectors were used as auxiliary information to splice with the identification sequences.The detection model’s perception ability in different stages was enhanced and the detection accuracy was improved.The experimental results show that the proposed method has remarkable detection effects on two benchmark datasets and has better effects on multi-class potential APT attacks than other models.

Key words: APT attack detection, multi-stage flow feature, sample feature reinforcement, multi-stage perceptual attention

CLC Number:

TP393

Lixia XIE, Xueou LI, Hongyu YANG, Liang ZHANG, Xiang CHENG. Multi-stage detection method for APT attack based on sample feature reinforcement[J]. Journal on Communications, 2022, 43(12): 66-76.

Figures/Tables 16

模型	准确率	F1分数
SAE-LSTM	70.52%	66.60%
CNN-LSTM	98.20%	98.58%
GAN-LSTM	97.41%	96.52%
GAN	87.54%	86.60%
DPCNN	97.15%	96.38%
Setconv	98.60%	97.89%
TextRCNN	93.47%	94.76%
MSDN	$98 . 66 %$	$98 . 66 %$

模型	APT₁	APT₂	APT₃	APT₄	APT₅	NAPT
GAN-LSTM	97.83%	96.64%	97.41%	96.52%	95.66%	84.70%
DPCNN	98.79%	97.54%	97.15%	96.38%	95.70%	85.12%
TextRCNN	96.96%	92.26%	93.47%	94.76%	$97 . 27 %$	$93 . 26 %$
MSDN	$99 . 47 %$	$98 . 39 %$	$97 . 86 %$	$96 . 93 %$	95.84%	86.46%

模型	APT₁	APT₂	APT₃	APT₄	APT₅	NAPT
GAN-LSTM	96.77%	96.73%	95.64%	93.82%	93.61%	82.86%
DPCNN	98.86%	98.03%	95.49%	93.02%	$95 . 07 %$	89.48%
TextRCNN	97.24%	96.53%	99.17%	96.08%	95.00%	$93 . 44 %$
MSDN	$99 . 68 %$	$99 . 54 %$	$99 . 20 %$	$97 . 35 %$	95.03%	90.68%

References 20

[1]	ZHANG J , PAN L , HAN Q L ,et al. Deep learning based attack detection for cyber-physical system cybersecurity:a survey[J]. IEEE/CAA Journal of Automatica Sinica, 2022,9(3): 377-391.
[2]	AHMAD A , WEBB J , DESOUZA K C ,et al. Strategically-motivated advanced persistent threat:definition,process,tactics and a disinformation model of counterattack[J]. Computers ＆ Security, 2019,86: 402-418.
[3]	杨秀璋, 彭国军, 李子川 ,等. 基于 Bert 和 BiLSTM-CRF 的 APT攻击实体识别及对齐研究[J]. 通信学报, 2022,43(6): 58-70.
	YANG X Z , PENG G J , LI Z C ,et al. Research on entity recognition and alignment of APT attack based on Bert and BiLSTM-CRF[J]. Journal on Communications, 2022,43(6): 58-70.
[4]	MILAJERDI S M , GJOMEMO R , ESHETE B ,et al. HOLMES:real-time APT detection through correlation of suspicious information flows[C]// Proceedings of 2019 IEEE Symposium on Security and Privacy. Piscataway:IEEE Press, 2019: 1137-1152.
[5]	NIU W N , ZHANG X S , YANG G W ,et al. Modeling attack process of advanced persistent threat using network evolution[J]. IEICE Transactions on Information and Systems, 2017,100(10): 2275-2286.
[6]	LIN G J , WEN S , HAN Q L ,et al. Software vulnerability detection using deep neural networks:a survey[J]. Proceedings of the IEEE, 2020,108(10): 1825-1848.
[7]	YANG H Y , ZHANG Z X , XIE L X ,et al. Network security situation assessment with network attack behavior classification[J]. International Journal of Intelligent Systems, 2022,37(10): 6909-6927.
[8]	ALREHAILI M , ALSHAMRANI A , ESHMAWI A . A hybrid deep learning approach for advanced persistent threat attack detection[C]// Proceedings of the 5th International Conference on Future Networks ＆ Distributed Systems. New York:ACM Press, 2021: 78-86.
[9]	刘海波, 武天博, 沈晶 ,等. 基于GAN-LSTM的APT攻击检测[J]. 计算机科学, 2020,47(1): 281-286.
	LIU H B , WU T B , SHEN J ,et al. Advanced persistent threat detection based on generative adversarial networks and long short-term memory[J]. Computer Science, 2020,47(1): 281-286.
[10]	董济源 . 基于GAN的APT攻击序列的生成与检测方法研究[D]. 哈尔滨:哈尔滨工程大学, 2020.
	DONG J Y . Research on generation and detection of APT attack sequence based on GAN[D]. Harbin:Harbin Engineering University, 2020.
[11]	JOHNSON R , ZHANG T . Deep pyramid convolutional neural networks for text categorization[C]// Proceedings of the 55th Annual Meeting of the Association for Computational Linguistics. Stroudsburg:Association for Computational Linguistics, 2017: 562-570.
[12]	AKBAR K A , WANG Y G , ISLAM M S ,et al. Identifying tactics of advanced persistent threats with limited attack traces[C]// Information Systems Security. Berlin:Springer, 2021: 3-25.
[13]	LAI S W , XU L H , LIU K ,et al. Recurrent convolutional neural networks for text classification[C]// Proceedings of the Twenty-ninth AAAI Conference on Artificial Intelligence. Palo Alto:AAAI Press, 2015: 2267-2273.
[14]	ALSHAMRANI A , MYNENI S , CHOWDHARY A ,et al. A survey on advanced persistent threats:techniques,solutions,challenges,and research opportunities[J]. IEEE Communications Surveys ＆ Tutorials, 2019,21(2): 1851-1877.
[15]	QUINTERO-BONILLA S , MARTíN D R A . A new proposal on the advanced persistent threat:a survey[J]. Applied Sciences, 2020,10(11): 3874-3896.
[16]	SHANG L K . Discovering unknown advanced persistent threat using shared features mined by neural networks[J]. Computer Networks, 2021,189:107937.
[17]	YU L T , ZHANG W N , WANG J ,et al. SeqGAN:sequence generative adversarial nets with policy gradient[C]// Proceedings of the AAAI Conference on Artificial Intelligence. Palo Alto:AAAI Press, 2017: 1-7.
[18]	VASWANI A , SHAZEER N , PARMAR N ,et al. Attention is all you need[J]. Advances in neural information processing systems, 2017,30(1): 5998-6008.
[19]	SHARAFALDIN I , HABIBI L A , GHORBANI A A . Toward generating a new intrusion detection dataset and intrusion traffic characterization[C]// Proceedings of the 4th International Conference on Information Systems Security and Privacy. Southampton:Science and Technology Publications, 2018: 108-116.
[20]	MYNENI S , CHOWDHARY A , SABUR A ,et al. DAPT 2020 - constructing a benchmark dataset for advanced persistent threats[C]// Deployable Machine Learning for Security Defense. Berlin:Springer, 2020: 138-163.

Metrics

Recommended 0

No Suggested Reading articles found!

APT攻击阶段	发送流量数据包数量/个	接收流量数据包数量/个	目标端口号	传输时间/s	发送流量数据量/个
侦察	306	509	9000	268 855	21 189
	106	104	80	450 907	10 327
	288	514	9000	357 079	17 044
建立立足点	17	17	9003	44 446	1 536
	15	15	9003	44 103	1 310
	37	37	9003	110 140	3 706
横向移动	10	12	4444	78 313 266	429
	20	18	9002	10 524 518	2 222
	4	6	9000	8 148 840	441
窃取信息或破坏系统	1	1	40310	3 494	0
	1	1	46400	3 692	0
	1	1	47274	3 546	0
继续攻击或清除攻击痕迹	1	1	59430	3 602	0
	1	1	59622	3 377	0
	1	1	40310	3 494	0

APT₅攻击阶段	发送流量数据包数量/个	目标端口号	传输时间/s	发送流量数据量/个
侦察	106	80	450 907	10 327
建立立足点	17	9003	44 446	1 536
横向移动	10	4444	78 313 266	429
窃取信息或破坏系统	1	40310	3 494	0
继续攻击或清除攻击痕迹	1	59622	3 377	0

Multi-stage detection method for APT attack based on sample feature reinforcement

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 16

References 20

Related Articles 15

Metrics

Recommended 0

APT攻击阶段及正常流量	原始流量特征维度/维	数据清洗后流量特征维度/维	特征选择后流量特征维度/维
侦察	84	63	23
建立立足点	84	52	15
横向移动	84	66	18
窃取信息或破坏系统	84	29	11
继续攻击或清除攻击痕迹	84	29	11
正常流量	84	71	22

APT攻击序列类型	APT攻击序列
APT₁	[[49192, 443, 6, …, 0, 0],[46190, 9000, 268855, …, 269, 0],[68, 67, 17, 1…, -1, 0]]
APT₂	[[443, 50064, 6, …, 0, 0],[57296, 80, 450907, …, 57, 0],…,[58822, 53, 17, …, -1, 0]]
APT₃	[[45988, 9000, 357079, …, 269, 0],[443, 58188, 6, …, 0, 0],…,[48067, 53, 17, …, -1, 0]]
APT₄	[[46190, 9000, 268855, …, 269, 0],[54036, 9003, 44103, ＆, 0, 0],…,[60709, 53, 17, …, -1, 0]]
APT₅	[[57296, 80, 450907, …, 57, 0],[443, 39654, 6, …, 0, 0],…,[28643, 59622, 3377, …, 1, 1452]]

[1]	Jingbo LI, Li MA, Yang LI, Yingxun FU, Dongchao MA. Optimized design of sensing transmission and computing collaborative industrial Internet [J]. Journal on Communications, 2023, 44(6): 12-22.
[2]	Shiqi ZHAO, Xiaohong HUANG, Zhigang ZHONG. Research and implementation of reputation-based inter-domain routing selection mechanism [J]. Journal on Communications, 2023, 44(6): 47-56.
[3]	Zhen CHEN, Wenhui CHEN, Xiaowei LIU, Dianlong YOU, Linlin LIU, Limin SHEN. Functional complementarity relationship enhanced cloud API recommendation method [J]. Journal on Communications, 2023, 44(6): 125-137.
[4]	Debin WEI, Chengsheng PAN, Li YANG, Zuoren YAN. Adaptive random early detection algorithm based on network traffic level grade prediction [J]. Journal on Communications, 2023, 44(6): 154-166.
[5]	Yuancheng LI, Yongtai QIN. Deep reinforcement learning based algorithm for real-time QoS optimization of software-defined security middle platform [J]. Journal on Communications, 2023, 44(5): 181-192.
[6]	Yingjie XIA, Siyu ZHU, Xuejiao LIU. Research on efficient cross trust-domain group authentication with conditional privacy of vehicle platoon under blockchian architecture [J]. Journal on Communications, 2023, 44(4): 111-123.
[7]	Renchao XIE, Wen WEN, Qinqin TANG, Yunlong LIU, Gaochang XIE, Tao HUANG. Survey on rail transit mobile edge computing network security [J]. Journal on Communications, 2023, 44(4): 201-215.
[8]	Zhiyong LUO, Yu ZHANG, Qing WANG, Weiwei SONG. Study of SDN intrusion intent identification algorithm based on Bayesian attack graph [J]. Journal on Communications, 2023, 44(4): 216-225.
[9]	Yifeng WANG, Yuanbo GUO, Qingli CHEN, Chen FANG, Renhao LIN, Yongliang ZHOU, Jiali MA. Method based on contrastive incremental learning for fine-grained malicious traffic classification [J]. Journal on Communications, 2023, 44(3): 1-11.
[10]	Jin ZHANG, Qiang GE, Weihai XU, Yiming JIANG, Hailong MA, Hongtao YU. Design, implementation and formal verification of BGP proxy for mimic router [J]. Journal on Communications, 2023, 44(3): 33-44.
[11]	Pujie JING, Liangmin WANG, Xuewen DONG, Yushu ZHANG, Qian WANG, Sohail Muhammad. CHA: cross-chain based hierarchical architecture for practicable blockchain regulatory [J]. Journal on Communications, 2023, 44(3): 93-104.
[12]	Jian SHU, Jiawei SHI, Linlan LIU, Al-Kali Manar. Topology prediction for opportunistic network based on spatiotemporal convolution [J]. Journal on Communications, 2023, 44(3): 145-156.
[13]	Dongbin WANG, Dongzhe WU, Hui ZHI, Kun GUO, Xu ZHANG, Jinqiao SHI, Yu ZHANG, Yueming LU. Preventing flow table overflow against denial of service attack in software defined network [J]. Journal on Communications, 2023, 44(2): 1-11.
[14]	Haiyan KANG, Molan LONG. Research on network attack analysis method based on attack graph of absorbing Markov chain [J]. Journal on Communications, 2023, 44(2): 122-135.
[15]	Yuntao ZHANG, Binxing FANG, Chunlai DU, Zhongru WANG, Zhijian CUI, Shouyou SONG. Container escape detection method based on heterogeneous observation chain [J]. Journal on Communications, 2023, 44(1): 49-63.