| Advanced Persistent Threats(APTs)possess characteristics of targeting,stealthiness,and persistence.They are typically aimed at stealing confidential information,obtaining substantial political or economic benefits,and either residing in systems for an extended period or disrupting critical infrastructure.Particularly targeting government,defense,and military sectors,APTs pose a severe threat to cybersecurity and national security.This dissertation proposes using APT attack detection and traceback as a deterrent defense mechanism against APT attacks.When information systems face APT threats,this approach can perceive the system’s current security posture,enhancing the specificity and effectiveness of defense.Even after a system has been compromised,countermeasures can be taken against attackers to defend national sovereignty in cyberspace.Therefore,there is a pressing need for in-depth research on APT attack detection and attribution technologies.Such reasearch holds significant importance and practical value.This dissertation focuses on the limitations of APT attack stage detection,which are particularly confined to single-stage detection,high false positive rates in detecting APT attack behaviors,difficulties in capturing long-term dependencies between alerts and attack stages in multi-step APT attack detection,and challenges in capturing attributions of APT organization origins in attack tool artifacts.Research on APT attack stage detection,APT attack behavior detection,multi-step APT attack detection,and APT organization attribution has been conducted,and corresponding solutions have been proposed to enhance the capabilities of APT attack detection and attribution,thereby contributing to the security assurance of China’s critical information infrastructure.The main research findings of this dissertation are summarized as follows:(1)To address the limitations of traditional APT attack detection,such as restricted feature extraction and limited to single-stage detection,this dissertation proposes a method for APT attack stage detection based on deep convolutional neural networks.The proposed method converts network traffic sequences into images using a percentile transformation method,preserving the characteristics of attack sequences in images to overcome the limitations of traditional APT attack stage detection,which only considers local features and a single feature category.Then,a deep convolutional neural network model is designed to identify APT attack stages from the images,and transfer learning and hyperparameter optimization techniques are introduced to enhance the model’s generalization ability and detection effectiveness.Experimental results on public datasets demonstrate that the proposed method can effectively extract APT attack stage features,thereby improving the accuracy of APT attack stage detection.(2)To address the complexity and diversity of APT attack behaviors and the high false positive rate in detection,this dissertation proposes a method for APT attack behavior detection based on multi-layer perceptron neural networks.The proposed method utilizes feature automatic selection and an intrusion detection framework based on multi-layer perceptron neural networks to detect different attack behaviors in real time.Secondly,a method based on Pearson correlation test for automatic feature selection of network attack features is proposed to improve the detection performance of the model.Then,by introducing dynamic learning rates and additional momentum to improve the backpropagation algorithm of the multi-layer perceptron neural network,the model’s false positive rate is effectively reduced.Finally,experimental results on public datasets demonstrate that the proposed approach has significant advantages in terms of efficiency and performance in APT attack behavior detection,providing effective support for practical APT attack behavior detection services.(3)To address the issue of poor recognition of long-term dependency relationships between APT attack alerts and attack stages,and the difficulty in detecting multi-step APT attacks,this dissertation proposes a method for detecting multi-step APT attacks based on attention convolutional networks.First,a method for reconstructing APT multi-step attack alert sequence identifiers is designed to construct multi-step attack identifier samples and non-attack identifier samples separately.Secondly,to better capture the long-term dependency relationships between alerts and APT attack stages,an improved attention convolutional network model is proposed.Specifically,the connection method of residual blocks in the time convolutional network is improved to enhance the network’s information transmission capability and efficiency,and a global attention mechanism is introduced to increase the weight of key features.Experimental results on multiple public datasets demonstrate that the proposed method can effectively capture long-term dependency relationships between APT attack alerts and attack stages,thereby improving the performance of APT multi-step attack detection tasks.(4)From the perspective of attributing APT organizations based on traces of attack tools,this dissertation proposes a method for attributing APT organizations based on analysis of attack tool traces.The proposed method models the problem of attributing APT organizations as a multi-classification problem based on traces of attack tools.First,methods for analyzing common leakage information in APT attack tools are analyzed,and traces of APT malicious software execution are collected through sandboxes based on this analysis.Secondly,the TF-IDF algorithm is used for feature extraction and selection to discover traces related to attacker identities or action backgrounds.Finally,an improved PSO algorithm is combined to train the optimal MSVM classification model for APT organization identification tasks.Experimental results on real datasets demonstrate that the PSO-MSVM algorithm can efficiently discover attributions from attack tool traces,thereby identifying corresponding APT organizations. |