西安电子科技大学学报 ›› 2023, Vol. 50 ›› Issue (5): 107-117.doi: 10.19665/j.issn1001-2400.20221105

• 网络空间安全 • 上一篇    下一篇

因果图增强的APT攻击检测算法

朱光明1(),卢梓杰1(),冯家伟2(),张向东2(),张锋军3(),牛作元3(),张亮1()   

  1. 1.西安电子科技大学 计算机科学与技术学院,陕西 西安 710071
    2.西安电子科技大学 通信工程学院,陕西 西安 710071
    3.中国电子科技集团公司第三十研究所,四川 成都 610041
  • 收稿日期:2022-09-28 出版日期:2023-10-20 发布日期:2023-11-21
  • 通讯作者: 张亮
  • 作者简介:朱光明(1987—),男,副教授,E-mail:gmzhu@xidian.edu.cn;|卢梓杰(1998—),男,西安电子科技大学硕士研究生,E-mail:21031211705@stu.xidian.edu.cn;|冯家伟(1998—),男,西安电子科技大学硕士研究生,E-mail:20011210262@stu.xidian.edu.cn;|张向东(1970—),男,副教授,E-mail:xdchen@mail.xidian.edu.cn;|张锋军(1975—),男,研究员,E-mail:fjzhang2020@163.com;|牛作元(1983—),男,研究员,E-mail:niuzuoyuan@163.com
  • 基金资助:
    国家重点研发计划(2020YFF0304900)

Cause-effectgraph enhanced APT attack detection algorithm

ZHU Guangming1(),LU Zijie1(),FENG Jiawei2(),ZHANG Xiangdong2(),ZHANG Fengjun3(),NIU Zuoyuan3(),ZHANG Liang1()   

  1. 1. School of Computer Science and Technology,Xidian University,Xi’an 710071,China
    2. School of Telecommunications Engineering,Xidian University,Xi’an 710071,China
    3. The 30th Research Institute of China Electronics Technology Group Corporation,Chengdu 610041,China
  • Received:2022-09-28 Online:2023-10-20 Published:2023-11-21
  • Contact: Liang ZHANG

摘要:

随着信息技术的发展,网络空间也面临着越来越多的安全风险和威胁。网络攻击越来越高级,高级持续性威胁(APT)攻击是最复杂的攻击之一,被现代攻击者普遍采用。传统的基于网络流的统计或机器学习检测方法难以应对复杂且持续的高级持续性威胁攻击。针对高级持续性威胁攻击检测难的问题,提出一种因果图增强的高级持续性威胁攻击检测算法,挖掘网络节点在不同时刻的网络交互过程,用于甄别网络流中攻击过程的恶性数据包。首先,利用因果图对网络数据包序列进行建模,将网络环境的互联网协议(IP)节点之间的数据流关联起来,建立攻击和非攻击行为的上下文序列;然后,将序列数据归一化,使用基于长短期记忆网络的深度学习模型进行序列二分类;最后,基于序列分类结果对原数据包进行恶性甄别。基于DAPT 2020数据集构建了一个新的数据集,所提算法在测试集上的受试者工作特征曲线的曲线下面积(ROC-AUC)指标可达0.948。实验结果表明,基于因果图序列的攻击检测算法具有较显著的优势,是一种可行的基于网络流的高级持续性威胁攻击检测算法。

关键词: 网络安全, 异常检测, 长短期记忆网络, 网络流上下文

Abstract:

With the development of information technology,the cyberspace also derives an increasing number of security risks and threats.There are more and more advanced cyberattacks,with the Advanced Persistent Threat(APT) attack being one of the most sophisticated attacks and commonly adopted by modern attackers.Traditional statistical or machine learning detection methods based on network flow are challenging in coping with complicated and persistent APT-style attacks.Aiming to overcome the difficulty in detecting APT attacks,a cause-effect graph enhanced APT attack detection algorithm is proposed to model the interaction process between network nodes at different times and identify malicious packets in the attack process in network flows.First,the causal-effect graph is used to model the network packet sequences,and the data flows between IP nodes in the network are associated to establish the context sequence of attack and non-attack behaviors.Then,the sequence data are normalized,and the deep learning model based on the long short-term memory network(LSTM) is used for sequence classification.Finally,based on the sequence classification results,the original packets are screened for malignancy.A new dataset is constructed based on the DAPT 2020 dataset,with the proposed algorithm’s ROC-AUC indicator on the test set reaching 0.948.Experimental results demonstrate that the attack detection algorithm based on causal-effect graph sequences has obvious advantages and is a feasible algorithm for detecting APT attack network flow.

Key words: network security, anomaly detection, Long Short-Term Memory, network flow context

中图分类号: 

  • TN915.08