基于样本特征强化的APT攻击多阶段检测方法

谢丽霞; 李雪鸥; 杨宏宇; 张良; 成翔

doi:10.11959/j.issn.1000-436x.2022238

您当前的位置：

首页 >

文章列表页 >

基于样本特征强化的APT攻击多阶段检测方法

学术论文 | 更新时间：2024-06-05

- 基于样本特征强化的APT攻击多阶段检测方法
- Multi-stage detection method for APT attack based on sample feature reinforcement
- 通信学报 2022年43卷第12期页码：66-76
- 作者机构：
  
  1. 中国民航大学计算机科学与技术学院，天津 300300
  2. 中国民航大学安全科学与工程学院，天津 300300
  3. 亚利桑那大学信息学院，美国图森 AZ85721
  4. 扬州大学信息工程学院，江苏扬州 225127
  5. 江苏省知识管理与智能服务工程研究中心，江苏扬州 225127
- 作者简介：
  
  [ "谢丽霞（1974- ），女，重庆人，博士，中国民航大学教授，主要研究方向为网络信息安全" ]
  [ "李雪鸥（1998- ），女，安徽合肥人，中国民航大学硕士生，主要研究方向为网络信息安全" ]
  [ "杨宏宇（1969- ），男，吉林长春人，博士，中国民航大学教授，主要研究方向为网络信息安全" ]
  [ "张良（1987- ），男，天津人，博士，美国亚利桑那大学研究员，主要研究方向为强化学习和基于深度学习的信号处理" ]
  [ "成翔（1988- ），男，新疆乌鲁木齐人，博士，扬州大学实验师，主要研究方向为网络与系统安全、网络安全态势感知、APT攻击检测" ]
- 基金信息：
  
  国家自然科学基金民航联合研究基金资助项目(U1833107)
- DOI：10.11959/j.issn.1000-436x.2022238
  中图分类号： TP393
- 网络出版日期：2022-12，
  
  纸质出版日期：2022-12-25
- 稿件说明：
移动端阅览
谢丽霞, 李雪鸥, 杨宏宇, 等. 基于样本特征强化的APT攻击多阶段检测方法[J]. 通信学报, 2022,43(12):66-76.

Lixia XIE, Xueou LI, Hongyu YANG, et al. Multi-stage detection method for APT attack based on sample feature reinforcement[J]. Journal on communications, 2022, 43(12): 66-76.
谢丽霞, 李雪鸥, 杨宏宇, 等. 基于样本特征强化的APT攻击多阶段检测方法[J]. 通信学报, 2022,43(12):66-76. DOI： 10.11959/j.issn.1000-436x.2022238.

Lixia XIE, Xueou LI, Hongyu YANG, et al. Multi-stage detection method for APT attack based on sample feature reinforcement[J]. Journal on communications, 2022, 43(12): 66-76. DOI： 10.11959/j.issn.1000-436x.2022238.

摘要

针对高级持续性威胁（APT）攻击检测方法普遍缺乏对APT攻击多阶段流量特征多样性的感知，对持续时间较长的APT攻击序列检测效果不佳且难以检测处于不同攻击阶段的多类潜在APT攻击等不足，提出一种基于样本特征强化的APT攻击多阶段检测方法。首先，根据APT攻击特点，将恶意流量划分至不同攻击阶段并构建APT攻击标识序列。其次，通过序列生成对抗网络模拟生成APT攻击多个阶段的标识序列，增加不同阶段序列样本数量实现样本特征强化并提高多阶段样本特征的多样性。最后，提出一种多阶段检测网络模型，基于多阶段感知注意力机制对提取的多阶段流量特征与标识序列进行注意力计算，得到阶段特征向量，并作为辅助信息与标识序列进行拼接操作，增强检测模型对不同阶段感知能力并提高检测精度。实验结果表明，所提方法在2个基准数据集上均有良好的检测效果，对多类潜在APT攻击的检测效果优于其他模型。

Abstract

Given the problems that the current APT attack detection methods were difficult to perceive the diversity of stage flow features and generally hard to detect the long duration APT attack sequences and potential APT attacks with different attack stages

a multi-stage detection method for APT attack based on sample feature reinforcement was proposed.Firstly

the malicious flow was divided into different attack stages and the APT attack identification sequences were constructed by analyzing the characteristics of the APT attack.In addition

sequence generative adversarial network was used to simulate the generation of identification sequences in the multi-stage of APT attacks.Sample feature reinforcement was achieved by increasing the number of sequence samples in different stages

which improved the diversity of multi-stage sample features.Finally

a multi-stage detection network was proposed.Based on the multi-stage perceptual attention mechanism

the extracted multi-stage flow features and identification sequences were calculated by attention to obtain the stage feature vectors.The feature vectors were used as auxiliary information to splice with the identification sequences.The detection model’s perception ability in different stages was enhanced and the detection accuracy was improved.The experimental results show that the proposed method has remarkable detection effects on two benchmark datasets and has better effects on multi-class potential APT attacks than other models.

关键词

Keywords

references

ZHANG J , PAN L , HAN Q L , et al . Deep learning based attack detection for cyber-physical system cybersecurity:a survey [J ] . IEEE/CAA Journal of Automatica Sinica , 2022 , 9 ( 3 ): 377 - 391 .

AHMAD A , WEBB J , DESOUZA K C , et al . Strategically-motivated advanced persistent threat:definition,process,tactics and a disinformation model of counterattack [J ] . Computers ＆ Security , 2019 , 86 : 402 - 418 .

杨秀璋 , 彭国军 , 李子川 , 等 . 基于 Bert 和 BiLSTM-CRF 的 APT攻击实体识别及对齐研究 [J ] . 通信学报 , 2022 , 43 ( 6 ): 58 - 70 .

YANG X Z , PENG G J , LI Z C , et al . Research on entity recognition and alignment of APT attack based on Bert and BiLSTM-CRF [J ] . Journal on Communications , 2022 , 43 ( 6 ): 58 - 70 .

MILAJERDI S M , GJOMEMO R , ESHETE B , et al . HOLMES:real-time APT detection through correlation of suspicious information flows [C ] // Proceedings of 2019 IEEE Symposium on Security and Privacy . Piscataway:IEEE Press , 2019 : 1137 - 1152 .

NIU W N , ZHANG X S , YANG G W , et al . Modeling attack process of advanced persistent threat using network evolution [J ] . IEICE Transactions on Information and Systems , 2017 , 100 ( 10 ): 2275 - 2286 .

LIN G J , WEN S , HAN Q L , et al . Software vulnerability detection using deep neural networks:a survey [J ] . Proceedings of the IEEE , 2020 , 108 ( 10 ): 1825 - 1848 .

YANG H Y , ZHANG Z X , XIE L X , et al . Network security situation assessment with network attack behavior classification [J ] . International Journal of Intelligent Systems , 2022 , 37 ( 10 ): 6909 - 6927 .

ALREHAILI M , ALSHAMRANI A , ESHMAWI A . A hybrid deep learning approach for advanced persistent threat attack detection [C ] // Proceedings of the 5th International Conference on Future Networks ＆ Distributed Systems . New York:ACM Press , 2021 : 78 - 86 .

刘海波 , 武天博 , 沈晶 , 等 . 基于GAN-LSTM的APT攻击检测 [J ] . 计算机科学 , 2020 , 47 ( 1 ): 281 - 286 .

LIU H B , WU T B , SHEN J , et al . Advanced persistent threat detection based on generative adversarial networks and long short-term memory [J ] . Computer Science , 2020 , 47 ( 1 ): 281 - 286 .

董济源 . 基于GAN的APT攻击序列的生成与检测方法研究 [D ] . 哈尔滨:哈尔滨工程大学 , 2020 .

DONG J Y . Research on generation and detection of APT attack sequence based on GAN [D ] . Harbin:Harbin Engineering University , 2020 .

JOHNSON R , ZHANG T . Deep pyramid convolutional neural networks for text categorization [C ] // Proceedings of the 55th Annual Meeting of the Association for Computational Linguistics . Stroudsburg:Association for Computational Linguistics , 2017 : 562 - 570 .

AKBAR K A , WANG Y G , ISLAM M S , et al . Identifying tactics of advanced persistent threats with limited attack traces [C ] // Information Systems Security . Berlin:Springer , 2021 : 3 - 25 .

LAI S W , XU L H , LIU K , et al . Recurrent convolutional neural networks for text classification [C ] // Proceedings of the Twenty-ninth AAAI Conference on Artificial Intelligence . Palo Alto:AAAI Press , 2015 : 2267 - 2273 .

ALSHAMRANI A , MYNENI S , CHOWDHARY A , et al . A survey on advanced persistent threats:techniques,solutions,challenges,and research opportunities [J ] . IEEE Communications Surveys ＆ Tutorials , 2019 , 21 ( 2 ): 1851 - 1877 .

QUINTERO-BONILLA S , MARTÍN D R A . A new proposal on the advanced persistent threat:a survey [J ] . Applied Sciences , 2020 , 10 ( 11 ): 3874 - 3896 .

SHANG L K . Discovering unknown advanced persistent threat using shared features mined by neural networks [J ] . Computer Networks , 2021 ,189:107937.

YU L T , ZHANG W N , WANG J , et al . SeqGAN:sequence generative adversarial nets with policy gradient [C ] // Proceedings of the AAAI Conference on Artificial Intelligence . Palo Alto:AAAI Press , 2017 : 1 - 7 .

VASWANI A , SHAZEER N , PARMAR N , et al . Attention is all you need [J ] . Advances in neural information processing systems , 2017 , 30 ( 1 ): 5998 - 6008 .

SHARAFALDIN I , HABIBI L A , GHORBANI A A . Toward generating a new intrusion detection dataset and intrusion traffic characterization [C ] // Proceedings of the 4th International Conference on Information Systems Security and Privacy . Southampton:Science and Technology Publications , 2018 : 108 - 116 .

MYNENI S , CHOWDHARY A , SABUR A , et al . DAPT 2020 - constructing a benchmark dataset for advanced persistent threats [C ] // Deployable Machine Learning for Security Defense . Berlin:Springer , 2020 : 138 - 163 .

浏览量

804

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

基于溯源图和注意力机制的APT攻击检测模型构建