因果图增强的APT攻击检测算法

doi:10.19665/j.issn1001-2400.20221105

Abstract

Abstract:

With the development of information technology,the cyberspace also derives an increasing number of security risks and threats.There are more and more advanced cyberattacks,with the Advanced Persistent Threat(APT) attack being one of the most sophisticated attacks and commonly adopted by modern attackers.Traditional statistical or machine learning detection methods based on network flow are challenging in coping with complicated and persistent APT-style attacks.Aiming to overcome the difficulty in detecting APT attacks,a cause-effect graph enhanced APT attack detection algorithm is proposed to model the interaction process between network nodes at different times and identify malicious packets in the attack process in network flows.First,the causal-effect graph is used to model the network packet sequences,and the data flows between IP nodes in the network are associated to establish the context sequence of attack and non-attack behaviors.Then,the sequence data are normalized,and the deep learning model based on the long short-term memory network(LSTM) is used for sequence classification.Finally,based on the sequence classification results,the original packets are screened for malignancy.A new dataset is constructed based on the DAPT 2020 dataset,with the proposed algorithm’s ROC-AUC indicator on the test set reaching 0.948.Experimental results demonstrate that the attack detection algorithm based on causal-effect graph sequences has obvious advantages and is a feasible algorithm for detecting APT attack network flow.

Key words: network security, anomaly detection, Long Short-Term Memory, network flow context

CLC Number:

TN915.08

ZHU Guangming,LU Zijie,FENG Jiawei,ZHANG Xiangdong,ZHANG Fengjun,NIU Zuoyuan,ZHANG Liang. Cause-effectgraph enhanced APT attack detection algorithm[J].Journal of Xidian University, 2023, 50(5): 107-117.

Figures/Tables 12

References 18

[1]	GHAFIR I, PRENOSIL V. Advanced Persistent Threat Attack Detection:An Overview[J]. International Journal of Advancements in Computer Networks and Its Security, 2014, 4(4):5054.
[2]	ALSHAMRANI A, MYNENI S, CHOWDHARY A, et al. A Survey on Advanced Persistent Threats:Techniques,Solutions,Challenges,and Research Opportunities[J]. IEEE Communications Surveys & Tutorials, 2019, 21(2):1851-1877.
[3]	刘奇旭, 王君楠, 尹捷, 等. 对抗机器学习在网络入侵检测领域的应用[J]. 通信学报, 2021, 42(11):1-12. doi: 10.11959/j.issn.1000-436x.2021193
	LIU Qixu, WANG Junnan, YIN Jie, et al. Application of Adversarial Machine Learning in Network Intrusion Detection[J]. Journal on Communications, 2021, 42(11):1-12. doi: 10.11959/j.issn.1000-436x.2021193
[4]	SHARAFALDIN I, LASHKARI A H, GHORBANI A A. A Detailed Analysis of the Cicids2017 Data Set[C]//International Conference on Information Systems Security and Privacy. Berlin:Springer, 2018:172-188.
[5]	LEEVY J L, KHOSHGOFTAAR T M. A Survey and Analysis of Intrusion Detection Models Based on CSE-CIC-IDS 2018 Big Data[J]. Journal of Big Data, 2020, 7(1):1-19. doi: 10.1186/s40537-019-0278-0
[6]	MYNENI S, CHOWDHARY A, SABUR A, et al. DAPT 2020-Constructing a Benchmark Dataset for Advanced Persistent Threats[C]//International Workshop on Deployable Machine Learning for Security Defense. Berlin:Springer, 2020:138-163.
[7]	周杰英, 贺鹏飞, 邱荣发, 等. 融合随机森林和梯度提升树的入侵检测研究[J]. 软件学报, 2021, 32(10):3254-3265.
	ZHOU Jieying, HE Pengfei, QIU Rongfa, et al. Research on Intrusion Detection Based on Random Forest and Gradient Boosting Tree[J]. Journal of Software, 2021, 32(10):3254-3265.
[8]	张兴兰, 尹晟霖. 可变融合的随机注意力胶囊网络入侵检测模型[J]. 通信学报, 2020, 41(11):160-168. doi: 10.11959/j.issn.1000-436x.2020220
	ZHANG Xinglan, YIN Shenglin. Intrusion Detection Model of Random Attention Capsule Network Based on Variable Fusion[J]. Journal of Communication, 2020, 41(11):160-168. doi: 10.11959/j.issn.1000-436x.2020220
[9]	刘景美, 高源伯. 自适应分箱特征选择的快速网络入侵检测系统[J]. 西安电子科技大学学报, 2021, 48(1):176-182.
	LIU Jingmei, GAO Yuanbo. Fast Network Instrusion Detection System Using Adaptive Binning Feature Selection[J]. Journal of Xidian University, 2021, 48(1):176-182.
[10]	ALSAHEEL A, NAN Y, MA S, et al. ATLAS:A Sequence-Based Learning Approach for Attack Investigation[C]//30th USENIX Security Symposium (USENIX Security 21).Berkeley:USENIX, 2021:3005-3022.
[11]	WILKENS F, ORTMANN F, HAAS S, et al. Multi-Stage Attack Detection via Kill Chain State Machines[C]//Proceedings of the 3rd Workshop on Cyber-Security Arms Race. New York: ACM, 2021:13-24.
[12]	MOUSTAFA N, SLAY J. UNSW-NB15:A Comprehensive Data Set for Network Intrusion Detection Systems (UNSW-NB 15 Network Data Set)[C]//2015 Military Communications and Information Systems Conference (MilCIS).Piscataway:IEEE, 2015:1-6.
[13]	DHANABAL L, SHANTHARAJAH S P. A Study on NSL-KDD Dataset for Intrusion Detection System Based on Classification Algorithms[J]. International Journal of Advanced Research in Computer and Communication Engineering, 2015, 4(6):446-452.
[14]	GRIFFITH J, KONG D, CARO A, et al. Scalable Transparency Architecture for Research Collaboration (STARC)-DARPA Transparent Computing (TC) Program[R]. Raytheon BBN Technologies Corp.Cambridge United States, 2020.
[15]	MILAJERDI S M, GJOMEMO R, ESHETE B, et al. Holmes:Real-Time Apt Detection through Correlation of Suspicious Information Flows[C]//2019 IEEE Symposium on Security and Privacy (SP).Piscataway:IEEE, 2019:1137-1152.
[16]	HAN X, PASQUIER T, BATES A, et al. Unicorn:Runtime Provenance-Based Detector for Advanced Persistent Threats (2020)[J/OL].[2020-01-06]. https://arxiv.org/abs/2001.01525v1.
[17]	LI Z, CHENG X, SUN L, et al. A Hierarchical Approach for Advanced Persistent Threat Detection with Attention-Based Graph Neural Networks[J]. Security and Communication Networks, 2021, 2021:1-14.
[18]	DIJK A. Detection of Advanced Persistent Threats Using Artificial Intelligence for Deep Packet Inspection[C]//2021 IEEE International Conference on Big Data.Piscataway:IEEE, 2021:2092-2097.

源IP地址	源端口	目的IP地址	目的端口	协议	时间戳	活动	阶段
206.207.50.50	40716	192.168.3.29	9000	6	16/07/2019 13:18:48	网络扫描	侦察
206.207.50.50	39766	192.168.3.29	9002	6	17/07/2019 14:45:40	账号破解	建立立足点
192.168.3.29	47916	192.168.3.34	4444	6	18/07/2019 20:05:14	后门	横向移动
192.168.3.34	46705	192.168.3.30	445	6	18/07/2019 21:31:58	SQL注入	横向移动
192.168.3.30	54776	206.207.50.50	4444	6	19/07/2019 22:21:43	数据渗出	数据泄露

时间	高级持续性威胁攻击阶段	技术
第1天,8:00AM-6:00PM	良性
第2天,8:00AM-6:00PM	侦察	网络扫描
		应用扫描
		账号破解
第3天,8:00AM-6:00PM	建立立足点	SQL注入
		目录破解
		跨站请求伪造
		恶意软件下载
		命令注入
		反向Shell
第4天,8:00AM-6:00PM	横向移动	内部扫描
		密码抓取
		凭证窃取
		账号发现
		用户账号创建
		特权提升
第5天,8:00AM-6:00PM	数据泄露	数据渗出

数据标签	合并前	合并后
良性	27 946	17 717
侦察	11 865	46
建立立足点	8 604	86
横向移动	237	68
数据泄露	15	14

模型参数	值
小批量样本数量(batch size)	128
卷积层卷积核大小	2
卷积层卷积核数量	256
池化层大小	2
训练代数(epoch)	20
循环神经网络类型	LSTM/GRU/RNN
循环神经网络层输出大小	256

数据处理方式	ROC-AUC			PR-AUC
数据处理方式	LSTM	GRU	RNN	LSTM	GRU	RNN
归一化、取最大值	0.948	0.903	0.809	0.531	0.514	0.439
未归一化、取最大值	0.880	0.831	0.738	0.530	0.477	0.400
归一化、取平均值	0.894	0.883	0.829	0.507	0.511	0.344
未归一化、取平均值	0.847	0.865	0.795	0.415	0.358	0.298

Cause-effectgraph enhanced APT attack detection algorithm

RichHTML

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 12

References 18

Related Articles 15

Metrics

Comments

Recommended 10

算法	ROC-AUC	PR-AUC
LSTM-SAE^[6]	0.484	0.062
Seq-LSTM^[6]	0.727	0.203
CGSeq-LSTM(文中算法)	0.948	0.531

[1]	DENG Yingchuan,ZHANG Tong,LIU Weijie,WANG Lina. COLLATE:towards the integrity of control-related data [J]. Journal of Xidian University, 2023, 50(5): 199-211.
[2]	LI Haiyang,GUO Jingjing,LIU Jiuzun,LIU Zhiquan. Privacy preserving byzantine robust federated learning algorithm [J]. Journal of Xidian University, 2023, 50(4): 121-131.
[3]	GU Zhaojun,LIU Tingting,SUI He. Latent feature reconstruction generative GAN model for ICS anomaly detection [J]. Journal of Xidian University, 2022, 49(2): 173-181.
[4]	LIU Huayuan,SU Yunfei,LI Ruilin,TANG Chaojing. Structure-statebased graybox Fuzzing technique [J]. Journal of Xidian University, 2021, 48(1): 117-123.
[5]	LI Teng,CAO Shijie,YIN Siwei,WEI Dawei,MA Xindi,MA Jianfeng. Optimal method for the generation of the attack path based on the Q-learning decision [J]. Journal of Xidian University, 2021, 48(1): 160-167.
[6]	YANG Hongyu,ZENG Renyun. Method for assessment of network security situation with deep learning [J]. Journal of Xidian University, 2021, 48(1): 183-190.
[7]	YANG Hongyu,ZHANG Xugao. Network security situation adaptive prediction model [J]. Journal of Xidian University, 2020, 47(3): 14-22.
[8]	JIANG Shaobin,DU Chun,CHEN Hao,LI Jun,WU Jiangjiang. Unsupervised adversarial learning method for hard disk failure prediction [J]. Journal of Xidian University, 2020, 47(2): 118-125.
[9]	ZHANG Zhiyuan,DIAO Yinghua. Pedestrian trajectory prediction model with social features and attention [J]. Journal of Xidian University, 2020, 47(1): 10-17.
[10]	HU Mengxiao,LU Wang,XU Can,LAI Jiazhe. Satellite RCS anomaly detection using the GRU model [J]. Journal of Xidian University, 2019, 46(6): 125-130.
[11]	XU Bin,CHEN Bo,LIU Jiaqi,WANG Penghui,LIU Hongwei. Radar HRRP target recognition by the bidirectional LSTM model [J]. Journal of Xidian University, 2019, 46(2): 29-34.
[12]	YANG Baowang. Low-rate-denial-of-service attack detection by symbolic dynamics method [J]. Journal of Xidian University, 2018, 45(1): 140-144.
[13]	LIANG Hongquan;WU Wei. Secure link status routing protocol based on node trustworthiness [J]. Journal of Xidian University, 2016, 43(5): 121-127.
[14]	WANG Jindong;YU Dingkun;ZHANG Hengwei;WANG Na. Active defense strategy selection based on the static Bayesian game [J]. J4, 2016, 43(1): 144-150.
[15]	WANG Zhiqiang;ZHANG Yuqing;LIU Qixu;HUANG Tingpei. Algorithm for discovering SNMP protocol vulnerability [J]. J4, 2015, 42(4): 20-26+40.