摘要
随着信息技术的发展,网络空间也面临着越来越多的安全风险和威胁。网络攻击越来越高级,高级持续性威胁(APT)攻击是最复杂的攻击之一,被现代攻击者普遍采用。传统的基于网络流的统计或机器学习检测方法难以应对复杂且持续的高级持续性威胁攻击。针对高级持续性威胁攻击检测难的问题,提出一种因果图增强的高级持续性威胁攻击检测算法,挖掘网络节点在不同时刻的网络交互过程,用于甄别网络流中攻击过程的恶性数据包。首先,利用因果图对网络数据包序列进行建模,将网络环境的互联网协议(IP)节点之间的数据流关联起来,建立攻击和非攻击行为的上下文序列;然后,将序列数据归一化,使用基于长短期记忆网络的深度学习模型进行序列二分类;最后,基于序列分类结果对原数据包进行恶性甄别。基于DAPT 2020数据集构建了一个新的数据集,所提算法在测试集上的受试者工作特征曲线的曲线下面积(ROC-AUC)指标可达0.948。实验结果表明,基于因果图序列的攻击检测算法具有较显著的优势,是一种可行的基于网络流的高级持续性威胁攻击检测算法。
With the development of information technology,the cyberspace also derives an increasing number of security risks and threats.There are more and more advanced cyberattacks,with the Advanced Persistent Threat(APT)attack being one of the most sophisticated attacks and commonly adopted by modern attackers.Traditional statistical or machine learning detection methods based on network flow are challenging in coping with complicated and persistent APT-style attacks.Aiming to overcome the difficulty in detecting APT attacks,a cause-effect graph enhanced APT attack detection algorithm is proposed to model the interaction process between network nodes at different times and identify malicious packets in the attack process in network flows.First,the causal-effect graph is used to model the network packet sequences,and the data flows between IP nodes in the network are associated to establish the context sequence of attack and non-attack behaviors.Then,the sequence data are normalized,and the deep learning model based on the long short-term memory network(LSTM)is used for sequence classification.Finally,based on the sequence classification results,the original packets are screened for malignancy.A new dataset is constructed based on the DAPT 2020 dataset,with the proposed algorithm’s ROC-AUC indicator on the test set reaching 0.948.Experimental results demonstrate that the attack detection algorithm based on causal-effect graph sequences has obvious advantages and is a feasible algorithm for detecting APT attack network flow.
作者
朱光明
卢梓杰
冯家伟
张向东
张锋军
牛作元
张亮
ZHU Guangming;LU Zijie;FENG Jiawei;ZHANG Xiangdong;ZHANG Fengjun;NIU Zuoyuan;ZHANG Liang(School of Computer Science and Technology,Xidian University,Xi’an 710071,China;School of Telecommunications Engineering,Xidian University,Xi’an 710071,China;The 30th Research Institute of China Electronics Technology Group Corporation,Chengdu 610041,China)
出处
《西安电子科技大学学报》
EI
CAS
CSCD
北大核心
2023年第5期107-117,共11页
Journal of Xidian University
基金
国家重点研发计划(2020YFF0304900)。
关键词
网络安全
异常检测
长短期记忆网络
网络流上下文
network security
anomaly detection
Long Short-Term Memory
network flow context