因果图增强的APT攻击检测算法

朱光明; 卢梓杰; 冯家伟; 张向东; 张锋军; 牛作元; 张亮

doi:10.19665/j.issn1001-2400.20221105

您当前的位置：

首页 >

文章列表页 >

因果图增强的APT攻击检测算法

网络空间安全 | 更新时间：2023-11-30

- 因果图增强的APT攻击检测算法
- 暂无标题
- 西安电子科技大学学报 2023年50卷第5期页码：107-117
- 作者机构：
  
  1. 西安电子科技大学计算机科学与技术学院,陕西西安 710071
  2. 西安电子科技大学通信工程学院,陕西西安 710071
  3. 中国电子科技集团公司第三十研究所,四川成都 610041
- 作者简介：
  
  [ "朱光明(1987—),男,副教授,E-mail:[email protected];" ]
  [ "卢梓杰(1998—),男,西安电子科技大学硕士研究生,E-mail:[email protected];" ]
  [ "冯家伟(1998—),男,西安电子科技大学硕士研究生,E-mail:[email protected];" ]
  [ "张向东(1970—),男,副教授,E-mail:[email protected];" ]
  [ "张锋军(1975—),男,研究员,E-mail:[email protected];" ]
  [ "牛作元(1983—),男,研究员,E-mail:[email protected]" ]
  张亮(1981—),男,教授,E-mail:[email protected]
- 基金信息：
  
  国家重点研发计划(2020YFF0304900)
- DOI：10.19665/j.issn1001-2400.20221105
  中图分类号：
扫描看全文
朱光明, 卢梓杰, 冯家伟, 等. 因果图增强的APT攻击检测算法[J]. 西安电子科技大学学报, 2023,50(5):107-117.
朱光明, 卢梓杰, 冯家伟, 等. 因果图增强的APT攻击检测算法[J]. 西安电子科技大学学报, 2023,50(5):107-117. DOI： 10.19665/j.issn1001-2400.20221105.

DOI：

摘要

随着信息技术的发展,网络空间也面临着越来越多的安全风险和威胁。网络攻击越来越高级,高级持续性威胁(APT)攻击是最复杂的攻击之一,被现代攻击者普遍采用。传统的基于网络流的统计或机器学习检测方法难以应对复杂且持续的高级持续性威胁攻击。针对高级持续性威胁攻击检测难的问题,提出一种因果图增强的高级持续性威胁攻击检测算法,挖掘网络节点在不同时刻的网络交互过程,用于甄别网络流中攻击过程的恶性数据包。首先,利用因果图对网络数据包序列进行建模,将网络环境的互联网协议(IP)节点之间的数据流关联起来,建立攻击和非攻击行为的上下文序列;然后,将序列数据归一化,使用基于长短期记忆网络的深度学习模型进行序列二分类;最后,基于序列分类结果对原数据包进行恶性甄别。基于DAPT 2020数据集构建了一个新的数据集,所提算法在测试集上的受试者工作特征曲线的曲线下面积(ROC-AUC)指标可达0.948。实验结果表明,基于因果图序列的攻击检测算法具有较显著的优势,是一种可行的基于网络流的高级持续性威胁攻击检测算法。

Abstract

With the development of information technology,the cyberspace also derives an increasing number of security risks and threats.There are more and more advanced cyberattacks,with the Advanced Persistent Threat(APT) attack being one of the most sophisticated attacks and commonly adopted by modern attackers.Traditional statistical or machine learning detection methods based on network flow are challenging in coping with complicated and persistent APT-style attacks.Aiming to overcome the difficulty in detecting APT attacks,a cause-effect graph enhanced APT attack detection algorithm is proposed to model the interaction process between network nodes at different times and identify malicious packets in the attack process in network flows.First,the causal-effect graph is used to model the network packet sequences,and the data flows between IP nodes in the network are associated to establish the context sequence of attack and non-attack behaviors.Then,the sequence data are normalized,and the deep learning model based on the long short-term memory network(LSTM) is used for sequence classification.Finally,based on the sequence classification results,the original packets are screened for malignancy.A new dataset is constructed based on the DAPT 2020 dataset,with the proposed algorithm’s ROC-AUC indicator on the test set reaching 0.948.Experimental results demonstrate that the attack detection algorithm based on causal-effect graph sequences has obvious advantages and is a feasible algorithm for detecting APT attack network flow.

关键词

网络安全异常检测长短期记忆网络网络流上下文

Keywords

network securityanomaly detectionLong Short-Term Memorynetwork flow context

references

GHAFIR I, PRENOSIL V. Advanced Persistent Threat Attack Detection:An Overview[J]. International Journal of Advancements in Computer Networks and Its Security, 2014, 4(4):5054.

ALSHAMRANI A, MYNENI S, CHOWDHARY A, et al. A Survey on Advanced Persistent Threats:Techniques,Solutions,Challenges,and Research Opportunities[J]. IEEE Communications Surveys & Tutorials, 2019, 21(2):1851-1877.

刘奇旭, 王君楠, 尹捷, 等. 对抗机器学习在网络入侵检测领域的应用[J]. 通信学报, 2021, 42(11):1-12. DOI:10.11959/j.issn.1000-436x.2021193http://doi.org/10.11959/j.issn.1000-436x.2021193

LIU Qixu, WANG Junnan, YIN Jie, et al. Application of Adversarial Machine Learning in Network Intrusion Detection[J]. Journal on Communications, 2021, 42(11):1-12. DOI:10.11959/j.issn.1000-436x.2021193http://doi.org/10.11959/j.issn.1000-436x.2021193

SHARAFALDIN I, LASHKARI A H, GHORBANI A A. A Detailed Analysis of the Cicids2017 Data Set[C]//International Conference on Information Systems Security and Privacy. Berlin:Springer, 2018:172-188.

LEEVY J L, KHOSHGOFTAAR T M. A Survey and Analysis of Intrusion Detection Models Based on CSE-CIC-IDS 2018 Big Data[J]. Journal of Big Data, 2020, 7(1):1-19. DOI:10.1186/s40537-019-0278-0http://doi.org/10.1186/s40537-019-0278-0

MYNENI S, CHOWDHARY A, SABUR A, et al. DAPT 2020-Constructing a Benchmark Dataset for Advanced Persistent Threats[C]//International Workshop on Deployable Machine Learning for Security Defense. Berlin:Springer, 2020:138-163.

周杰英, 贺鹏飞, 邱荣发, 等. 融合随机森林和梯度提升树的入侵检测研究[J]. 软件学报, 2021, 32(10):3254-3265.

ZHOU Jieying, HE Pengfei, QIU Rongfa, et al. Research on Intrusion Detection Based on Random Forest and Gradient Boosting Tree[J]. Journal of Software, 2021, 32(10):3254-3265.

张兴兰, 尹晟霖. 可变融合的随机注意力胶囊网络入侵检测模型[J]. 通信学报, 2020, 41(11):160-168. DOI:10.11959/j.issn.1000-436x.2020220http://doi.org/10.11959/j.issn.1000-436x.2020220

ZHANG Xinglan, YIN Shenglin. Intrusion Detection Model of Random Attention Capsule Network Based on Variable Fusion[J]. Journal of Communication, 2020, 41(11):160-168.

刘景美, 高源伯. 自适应分箱特征选择的快速网络入侵检测系统[J]. 西安电子科技大学学报, 2021, 48(1):176-182.

LIU Jingmei, GAO Yuanbo. Fast Network Instrusion Detection System Using Adaptive Binning Feature Selection[J]. Journal of Xidian University, 2021, 48(1):176-182.

ALSAHEEL A, NAN Y, MA S, et al. ATLAS:A Sequence-Based Learning Approach for Attack Investigation[C]//30th USENIX Security Symposium (USENIX Security 21).Berkeley:USENIX, 2021:3005-3022.

WILKENS F, ORTMANN F, HAAS S, et al. Multi-Stage Attack Detection via Kill Chain State Machines[C]//Proceedings of the 3rd Workshop on Cyber-Security Arms Race. New York: ACM, 2021:13-24.

MOUSTAFA N, SLAY J. UNSW-NB15:A Comprehensive Data Set for Network Intrusion Detection Systems (UNSW-NB 15 Network Data Set)[C]//2015 Military Communications and Information Systems Conference (MilCIS).Piscataway:IEEE, 2015:1-6.

DHANABAL L, SHANTHARAJAH S P. A Study on NSL-KDD Dataset for Intrusion Detection System Based on Classification Algorithms[J]. International Journal of Advanced Research in Computer and Communication Engineering, 2015, 4(6):446-452.

GRIFFITH J, KONG D, CARO A, et al. Scalable Transparency Architecture for Research Collaboration (STARC)-DARPA Transparent Computing (TC) Program[R]. Raytheon BBN Technologies Corp.Cambridge United States, 2020.

MILAJERDI S M, GJOMEMO R, ESHETE B, et al. Holmes:Real-Time Apt Detection through Correlation of Suspicious Information Flows[C]//2019 IEEE Symposium on Security and Privacy (SP).Piscataway:IEEE, 2019:1137-1152.

HAN X, PASQUIER T, BATES A, et al. Unicorn:Runtime Provenance-Based Detector for Advanced Persistent Threats (2020)[J/OL].[2020-01-06]. https://arxiv.org/abs/2001.01525v1https://arxiv.org/abs/2001.01525v1https://arxiv.org/abs/2001.01525v1.

LI Z, CHENG X, SUN L, et al. A Hierarchical Approach for Advanced Persistent Threat Detection with Attention-Based Graph Neural Networks[J]. Security and Communication Networks, 2021, 2021:1-14.

DIJK A. Detection of Advanced Persistent Threats Using Artificial Intelligence for Deep Packet Inspection[C]//2021 IEEE International Conference on Big Data.Piscataway:IEEE, 2021:2092-2097.

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

软件定义网络中流规则安全性研究进展

COLLATE:控制相关数据的完整性保护

隐私保护的拜占庭鲁棒联邦学习算法

一种ICS异常检测的优化GAN模型

应用Q学习决策的最优攻击路径生成方法