Construction of advanced persistent threat attack detection model based on provenance graph and attention mechanism

被引：0

作者：

Li Y. ^{[1
]}

Luo H. ^{[1
]}

Wang X. ^{[1
]}

Yuan J. ^{[1
]}

机构：

[1] School of Control and Computer Engineering, North China Electric Power University, Beijing

来源：

Tongxin Xuebao/Journal on Communications | 2024年 / 45卷 / 03期

关键词：

APT attack detection; attention mechanism; natural language processing; provenance graph;

D O I：

10.11959/j.issn.1000-436x.2024039

中图分类号：

学科分类号：

摘要：

In response to the difficulty of existing attack detection methods in dealing with advanced persistent threat (APT) with longer durations, complex and covert attack methods, a model for APT attack detection based on attention mechanisms and provenance graphs was proposed. Firstly, provenance graphs that described system behavior based on system audit logs were constructed. Then, an optimization algorithm was designed to reduce the scale of provenance graphs without sacrificing key semantics. Afterward, a deep neural network (DNN) was utilized to convert the original attack sequence into a semantically enhanced feature vector sequence. Finally, an APT attack detection model named DAGCN was designed. An attention mechanism was applied to the traceback graph sequence. By allocating different weights to different positions in the input sequence and performing weight calculations, sequence feature information of sustained attacks could be extracted over a longer period of time, which effectively identified malicious nodes and reconstructs the attack process. The proposed model outperforms existing models in terms of recognition accuracy and other metrics. Experimental results on public APT attack datasets show that, compared with existing APT attack detection models, the accuracy of the proposed model in APT attack detection reaches 93.18%. © 2024 Editorial Board of Journal on Communications. All rights reserved.

引用

页码：117 / 130

页数：13

共 24 条

[1] MANZOOR E, MILAJERDI S M, AKOGLU L., Fast memory-efficient anomaly detection in streaming heterogeneous graphs, Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1035-1044, (2016)
[2] HOFER-SCHMITZ K, KLEB U, STOJANOVIC B., The influences of feature sets on the detection of advanced persistent threats, Electronics, 10, 6, (2021)
[3] BENABDERRAHMANE S, BERRADA G, CHENEY J, Et al., A rule mining-based advanced persistent threats detection system, (2021)
[4] ANJUM M M, IQBAL S, HAMELIN B., ANUBIS: a provenance graph-based framework for advanced persistent threat detection, Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing, pp. 1684-1693, (2022)
[5] CHENG X, ZHANG J L, TU Y F, Et al., Cyber situation perception for Internet of Things systems based on zero-day attack activities recognition within advanced persistent threat, Concurrency and Computation: Practice and Experience, 34, 16, (2022)
[6] XIE L X, LI X O, YANG H Y, Et al., A multi-stage detection method for APT attacks based on sample feature enhancement, Journal on Communications, 43, 12, pp. 66-76, (2022)
[7] KING S T, CHEN P M., Backtracking intrusions, Proceedings of the nineteenth ACM symposium on Operating systems principles, pp. 223-236, (2003)
[8] HOSSAIN M N, MILAJERDI S M, WANG J N, Et al., Sleuth: real-time attack scenario reconstruction from COTS audit data, Proceedings of the 26th USENIX Conference on Security Symposium, pp. 487-504, (2017)
[9] MILAJERDI S M, ESHETE B, GJOMEMO R, Et al., Poirot: aligning attack behavior with kernel audit records for cyber threat hunting, Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1795-1812, (2019)
[10] DONG C Y, LYU M Q, CHEN T M, Et al., Heterogeneous provenance graph learning model based APT detection, Computer Science, 50, 4, pp. 359-368, (2023)

← 1 2 3 →