Research On APT Attack Report Analysis Method Based On Graph Neural Network

With the explosive development and popularization of information technology,cyber threats have become increasingly widespread and complex.Advanced Persistent Threat(APT)has become a research hotspot in the field of network security because of its strong concealment and long-lasting characteristics.In the face of such threats,it is difficult for traditional network security detection equipment to perform effective detection.Big data analysis based on threat intelligence has become a feasible solution to APT attack detection,and has received widespread attention.As an important data source of threat intelligence big data analysis,APT attack reports contain key information about the APT attack process.However,for the existing analysis of APT attack reports,the focus is on machine-readable lost intelligence,which makes it difficult for APT attack technology to be automatically divided into the Kill Chain stage,and it is impossible to explore the hidden relationships between different APT attack reports.Therefore,in order to improve the effective defense of cyberspace,this article conducts in-depth research around APT attack reports analysis.The main work are as follows:First of all,when traditional methods extract information from APT attack reports,it is difficult to divide the APT attack technology into the Kill Chain attack stage,which prevents security personnel from making defensive decisions quickly.In response to this problem,this paper proposes a method of dividing the stages of APT attack technology based on the Kill Chain model.This method first learns the dependency syntactic structure of the description information of the APT attack technology and the dependencies between the technologies,and then uses the Graph Neural Network to maximize the capture of the structure and semantic information of the attack technology,and finally finds out the Kill Chain to which the APT attacks technology belong to model training stage.The final experimental results also show that compared with the comparison model,the method proposed in this paper has improved accuracy,precision and other evaluation indicators.Secondly,in view of the problem that the attack report has a single related object and cannot explore the hidden relationship between different security reports,this paper proposes a Graph Neural Network-based APT security entity association analysis method.This method extracts security entities from APT attack reports on multiple platforms and constructs a Heterogeneous Security Entity Network with Attributes based on their relationships,and then uses Graph Neural Networks to continuously update entity characteristics.In the update process,the neighbor nodes and features of the entity are assigned weights through Graph Attention,so as to realize the task of link prediction and node classification of secure entities.The final experimental results show that the method proposed in this paper realizes the entity association mining among APT attack reports,and provides effective information for network security decision-making.