Research On Multi-stage Attack Detection Method Based On Deep Learning

With the accelerating pace of global informatization,in order to use the Internet's connectivity features to improve production efficiency,more and more industrial facilities have begun to access the Internet,but this has also exposed the originally closed network system to the Internet.It provides convenience for illegal intrusion and increases the difficulty of network security management.In order to alleviate the harm caused by illegal intrusions to the facility network system,protective measures such as firewalls and intrusion detection systems have been widely used in network protection.Today,intrusion detection systems have become an indispensable part of the network protection system.With the continuous development of intrusion detection technology,the traditional single-stage attack method has been difficult to cause harm to the target network facilities.To successfully intrusion the target network,the attacker's attack methods have evolved from a single-stage attack to a more complex multi-stage attack.In a multi-stage attack,the attacker divides an intrusion process into several stages,and mixes some data that is not related to the attack to disguise the purpose of the attack to confuse the detector,which increases the difficulty of detection.In addition,in order to achieve the purpose of intrusion,the attacker may purposely increase the attack interval to make it difficult for the detector to detect the correlation between the attack stages,which poses a huge challenge to the intrusion detection technology.The existing multi-stage attack detection technologies are mostly researched from two directions,namely,customizing association rules or using statistical learning methods.Rule-based methods require manual customization of rules,and it is difficult to efficiently process large-scale traffic data,while detection methods based on statistical learning are difficult to effectively capture the long-term dependencies between different attack stages.This thesis uses deep learning technology to start from two perspectives of unsupervised learning and supervised learning.First,an unsupervised multi-stage attack detection method based on alert semantic embedding is proposed,and then the supervised multi-stage attack detection methods based on Long-short term memory network and sequence-to-sequence model are respectively proposed.Specifically,the research work of this thesis is summarized as follows:(1)An unsupervised multi-stage attack detection method based on the semantic embedding of alerts is proposed.The semantic representation vector of the alert is obtained by using the representation ability of the word embedding model in deep learning.The clustering algorithm is further used to divide the alert into different clusters according to the semantics of the alert,and uses local outlier point recognition algorithm and the Markov model respectively calculate the alert anomaly probability and the alert sequence anomaly probability,and finally use the 3? statistical rule to realize the anomaly detection of the multi-stage attack.Experiments in different attack scenarios show that the method proposed in this thesis can effectively identify alert sequences containing multi-stage attacks.(2)A supervised multi-stage attack detection method based on Long-short term memory network is proposed.Overcome the problem that unsupervised detection methods based on alert semantic embedding cannot identify specific attack stages and the existing detection methods based on statistical learning are difficult to model the long-term dependence of attack stages.Take multi-stage attacks as long-term memory,determine the relationship between alerts and attacks through a gating mechanism,add the alert information related to the attack to the long-term memory,and delete irrelevant alert information from the memory,realizing the long-term dependence of multi-stage attacks.In order to verify the proposed method,this thesis conducts experiments in three different multi-stage attack scenarios.The results show that the proposed method can better detection multi-stage attacks than the hidden Markov model.(3)A supervised multi-stage attack detection method based on sequence-tosequence model is proposed.Using an end-to-end detection structure,making full use of alert information and existing attack stage information for multi-stage attack detection,using Long-short term memory networks as the encoder and decoder respectively,the encoder learns to input the alert sequence,and the decoder according to the encoded alert information and attack stage information,in turn,generate the most probable attack stage sequence.At the same time,a multi-encoder structure is proposed to further deal with the problem of detection performance degradation caused by long alert sequences.Experiments in three different multi-stage attack scenarios show that the proposed method can detect multi-stage attacks more effectively.