因果图增强的APT攻击检测算法

doi:10.19665/j.issn1001-2400.20221105

摘要/Abstract

摘要：

随着信息技术的发展,网络空间也面临着越来越多的安全风险和威胁。网络攻击越来越高级,高级持续性威胁(APT)攻击是最复杂的攻击之一,被现代攻击者普遍采用。传统的基于网络流的统计或机器学习检测方法难以应对复杂且持续的高级持续性威胁攻击。针对高级持续性威胁攻击检测难的问题,提出一种因果图增强的高级持续性威胁攻击检测算法,挖掘网络节点在不同时刻的网络交互过程,用于甄别网络流中攻击过程的恶性数据包。首先,利用因果图对网络数据包序列进行建模,将网络环境的互联网协议(IP)节点之间的数据流关联起来,建立攻击和非攻击行为的上下文序列;然后,将序列数据归一化,使用基于长短期记忆网络的深度学习模型进行序列二分类;最后,基于序列分类结果对原数据包进行恶性甄别。基于DAPT 2020数据集构建了一个新的数据集,所提算法在测试集上的受试者工作特征曲线的曲线下面积(ROC-AUC)指标可达0.948。实验结果表明,基于因果图序列的攻击检测算法具有较显著的优势,是一种可行的基于网络流的高级持续性威胁攻击检测算法。

关键词: 网络安全, 异常检测, 长短期记忆网络, 网络流上下文

Abstract:

With the development of information technology,the cyberspace also derives an increasing number of security risks and threats.There are more and more advanced cyberattacks,with the Advanced Persistent Threat(APT) attack being one of the most sophisticated attacks and commonly adopted by modern attackers.Traditional statistical or machine learning detection methods based on network flow are challenging in coping with complicated and persistent APT-style attacks.Aiming to overcome the difficulty in detecting APT attacks,a cause-effect graph enhanced APT attack detection algorithm is proposed to model the interaction process between network nodes at different times and identify malicious packets in the attack process in network flows.First,the causal-effect graph is used to model the network packet sequences,and the data flows between IP nodes in the network are associated to establish the context sequence of attack and non-attack behaviors.Then,the sequence data are normalized,and the deep learning model based on the long short-term memory network(LSTM) is used for sequence classification.Finally,based on the sequence classification results,the original packets are screened for malignancy.A new dataset is constructed based on the DAPT 2020 dataset,with the proposed algorithm’s ROC-AUC indicator on the test set reaching 0.948.Experimental results demonstrate that the attack detection algorithm based on causal-effect graph sequences has obvious advantages and is a feasible algorithm for detecting APT attack network flow.

Key words: network security, anomaly detection, Long Short-Term Memory, network flow context

中图分类号:

TN915.08

朱光明,卢梓杰,冯家伟,张向东,张锋军,牛作元,张亮. 因果图增强的APT攻击检测算法[J]. 西安电子科技大学学报, 2023, 50(5): 107-117.

ZHU Guangming,LU Zijie,FENG Jiawei,ZHANG Xiangdong,ZHANG Fengjun,NIU Zuoyuan,ZHANG Liang. Cause-effectgraph enhanced APT attack detection algorithm[J]. Journal of Xidian University, 2023, 50(5): 107-117.

图/表 12

图1

图2

表1

图3

表2

表3

表4

图4

表5

图5

图6

表6

参考文献 18

[1]	GHAFIR I, PRENOSIL V. Advanced Persistent Threat Attack Detection:An Overview[J]. International Journal of Advancements in Computer Networks and Its Security, 2014, 4(4):5054.
[2]	ALSHAMRANI A, MYNENI S, CHOWDHARY A, et al. A Survey on Advanced Persistent Threats:Techniques,Solutions,Challenges,and Research Opportunities[J]. IEEE Communications Surveys & Tutorials, 2019, 21(2):1851-1877.
[3]	刘奇旭, 王君楠, 尹捷, 等. 对抗机器学习在网络入侵检测领域的应用[J]. 通信学报, 2021, 42(11):1-12. doi: 10.11959/j.issn.1000-436x.2021193
	LIU Qixu, WANG Junnan, YIN Jie, et al. Application of Adversarial Machine Learning in Network Intrusion Detection[J]. Journal on Communications, 2021, 42(11):1-12. doi: 10.11959/j.issn.1000-436x.2021193
[4]	SHARAFALDIN I, LASHKARI A H, GHORBANI A A. A Detailed Analysis of the Cicids2017 Data Set[C]//International Conference on Information Systems Security and Privacy. Berlin:Springer, 2018:172-188.
[5]	LEEVY J L, KHOSHGOFTAAR T M. A Survey and Analysis of Intrusion Detection Models Based on CSE-CIC-IDS 2018 Big Data[J]. Journal of Big Data, 2020, 7(1):1-19. doi: 10.1186/s40537-019-0278-0
[6]	MYNENI S, CHOWDHARY A, SABUR A, et al. DAPT 2020-Constructing a Benchmark Dataset for Advanced Persistent Threats[C]//International Workshop on Deployable Machine Learning for Security Defense. Berlin:Springer, 2020:138-163.
[7]	周杰英, 贺鹏飞, 邱荣发, 等. 融合随机森林和梯度提升树的入侵检测研究[J]. 软件学报, 2021, 32(10):3254-3265.
	ZHOU Jieying, HE Pengfei, QIU Rongfa, et al. Research on Intrusion Detection Based on Random Forest and Gradient Boosting Tree[J]. Journal of Software, 2021, 32(10):3254-3265.
[8]	张兴兰, 尹晟霖. 可变融合的随机注意力胶囊网络入侵检测模型[J]. 通信学报, 2020, 41(11):160-168. doi: 10.11959/j.issn.1000-436x.2020220
	ZHANG Xinglan, YIN Shenglin. Intrusion Detection Model of Random Attention Capsule Network Based on Variable Fusion[J]. Journal of Communication, 2020, 41(11):160-168. doi: 10.11959/j.issn.1000-436x.2020220
[9]	刘景美, 高源伯. 自适应分箱特征选择的快速网络入侵检测系统[J]. 西安电子科技大学学报, 2021, 48(1):176-182.
	LIU Jingmei, GAO Yuanbo. Fast Network Instrusion Detection System Using Adaptive Binning Feature Selection[J]. Journal of Xidian University, 2021, 48(1):176-182.
[10]	ALSAHEEL A, NAN Y, MA S, et al. ATLAS:A Sequence-Based Learning Approach for Attack Investigation[C]//30th USENIX Security Symposium (USENIX Security 21).Berkeley:USENIX, 2021:3005-3022.
[11]	WILKENS F, ORTMANN F, HAAS S, et al. Multi-Stage Attack Detection via Kill Chain State Machines[C]//Proceedings of the 3rd Workshop on Cyber-Security Arms Race. New York: ACM, 2021:13-24.
[12]	MOUSTAFA N, SLAY J. UNSW-NB15:A Comprehensive Data Set for Network Intrusion Detection Systems (UNSW-NB 15 Network Data Set)[C]//2015 Military Communications and Information Systems Conference (MilCIS).Piscataway:IEEE, 2015:1-6.
[13]	DHANABAL L, SHANTHARAJAH S P. A Study on NSL-KDD Dataset for Intrusion Detection System Based on Classification Algorithms[J]. International Journal of Advanced Research in Computer and Communication Engineering, 2015, 4(6):446-452.
[14]	GRIFFITH J, KONG D, CARO A, et al. Scalable Transparency Architecture for Research Collaboration (STARC)-DARPA Transparent Computing (TC) Program[R]. Raytheon BBN Technologies Corp.Cambridge United States, 2020.
[15]	MILAJERDI S M, GJOMEMO R, ESHETE B, et al. Holmes:Real-Time Apt Detection through Correlation of Suspicious Information Flows[C]//2019 IEEE Symposium on Security and Privacy (SP).Piscataway:IEEE, 2019:1137-1152.
[16]	HAN X, PASQUIER T, BATES A, et al. Unicorn:Runtime Provenance-Based Detector for Advanced Persistent Threats (2020)[J/OL].[2020-01-06]. https://arxiv.org/abs/2001.01525v1.
[17]	LI Z, CHENG X, SUN L, et al. A Hierarchical Approach for Advanced Persistent Threat Detection with Attention-Based Graph Neural Networks[J]. Security and Communication Networks, 2021, 2021:1-14.
[18]	DIJK A. Detection of Advanced Persistent Threats Using Artificial Intelligence for Deep Packet Inspection[C]//2021 IEEE International Conference on Big Data.Piscataway:IEEE, 2021:2092-2097.

源IP地址	源端口	目的IP地址	目的端口	协议	时间戳	活动	阶段
206.207.50.50	40716	192.168.3.29	9000	6	16/07/2019 13:18:48	网络扫描	侦察
206.207.50.50	39766	192.168.3.29	9002	6	17/07/2019 14:45:40	账号破解	建立立足点
192.168.3.29	47916	192.168.3.34	4444	6	18/07/2019 20:05:14	后门	横向移动
192.168.3.34	46705	192.168.3.30	445	6	18/07/2019 21:31:58	SQL注入	横向移动
192.168.3.30	54776	206.207.50.50	4444	6	19/07/2019 22:21:43	数据渗出	数据泄露

时间	高级持续性威胁攻击阶段	技术
第1天,8:00AM-6:00PM	良性
第2天,8:00AM-6:00PM	侦察	网络扫描
		应用扫描
		账号破解
第3天,8:00AM-6:00PM	建立立足点	SQL注入
		目录破解
		跨站请求伪造
		恶意软件下载
		命令注入
		反向Shell
第4天,8:00AM-6:00PM	横向移动	内部扫描
		密码抓取
		凭证窃取
		账号发现
		用户账号创建
		特权提升
第5天,8:00AM-6:00PM	数据泄露	数据渗出

数据标签	合并前	合并后
良性	27 946	17 717
侦察	11 865	46
建立立足点	8 604	86
横向移动	237	68
数据泄露	15	14

模型参数	值
小批量样本数量(batch size)	128
卷积层卷积核大小	2
卷积层卷积核数量	256
池化层大小	2
训练代数(epoch)	20
循环神经网络类型	LSTM/GRU/RNN
循环神经网络层输出大小	256

数据处理方式	ROC-AUC			PR-AUC
数据处理方式	LSTM	GRU	RNN	LSTM	GRU	RNN
归一化、取最大值	0.948	0.903	0.809	0.531	0.514	0.439
未归一化、取最大值	0.880	0.831	0.738	0.530	0.477	0.400
归一化、取平均值	0.894	0.883	0.829	0.507	0.511	0.344
未归一化、取平均值	0.847	0.865	0.795	0.415	0.358	0.298