基于溯源图和注意力机制的APT攻击检测模型构建

Construction of advanced persistent threat attack detection model based on provenance graph and attention mechanism

针对现有攻击检测方法难以应对持续时间长、攻击手段复杂隐蔽的高级持续威胁的问题,构建了基于注意力机制和溯源图的APT攻击检测模型。首先,基于系统的审计日志构建能够描述系统行为的溯源图;其次,设计优化算法,确保在不牺牲关键语义的前提下缩减溯源图规模;再次,利用深度神经网络(DNN)将原始攻击序列转换为语义增强的特征向量序列;最后,设计并实现了APT攻击检测模型DAGCN,该模型将注意力机制应用于溯源图序列,利用该机制对输入序列的不同位置分配不同的权重并进行权值计算,能够提取较长时间内的持续攻击的序列特征信息,从而有效地识别恶意节点,还原攻击过程。该模型在识别精确率等多个指标上均优于现有模型,在公开的APT攻击数据集上的实验结果表明,该模型在APT攻击检测中的精确率达到93.18%,优于现有主流检测模型。

In response to the difficulty of existing attack detection methods in dealing with advanced persistent threat(APT)with longer durations,complex and covert attack methods,a model for APT attack detection based on attention mechanisms and provenance graphs was proposed.Firstly,provenance graphs that described system behavior based on system audit logs were constructed.Then,an optimization algorithm was designed to reduce the scale of provenance graphs without sacrificing key semantics.Afterward,a deep neural network(DNN)was utilized to convert the original attack sequence into a semantically enhanced feature vector sequence.Finally,an APT attack detection model named DAGCN was designed.An attention mechanism was applied to the traceback graph sequence.By allocating different weights to different positions in the input sequence and performing weight calculations,sequence feature information of sustained attacks could be extracted over a longer period of time,which effectively identified malicious nodes and reconstructs the attack process.The proposed model outperforms existing models in terms of recognition accuracy and other metrics.Experimental results on public APT attack datasets show that,compared with existing APT attack detection models,the accuracy of the proposed model in APT attack detection reaches 93.18%.