Detecting Unknown Advanced Persistent Threat Using Shared Features Of Multi-class Malicious Samples

Advanced Persistent Threat(APT)are long-term cyber-attacks carried out by advanced hacker groups against specific targets to steal valuable confidential data or conduct cyber espionage.Command and control channel(C?C)inspection based on network flow is an effective method to detect APT attacks.This is because the malware hidden in the target system has to communicate with the external C?C server to receive commands or send data,so network flow is unavoidable.In recent years,the research on APT attack detection has made great progress.However,the current work still faces the following problems:1.Difficult to detect unknown APT attacks.Most of the features extracted by existing works rely on APT reports or research findings on APT malware that have been disclosed,but these features are not necessarily universal.Existing work faces two challenges: the stealth of APT attacks and flexible attack techniques.These factors make it difficult for existing work to detect unknown APT attacks.2.Most of the existing methods for detecting APT attacks use machine learning methods.However,it has been proved that machine learning algorithms are not robust in the face of adversarial samples.Adding slight perturbations to the samples can cause the detection model to give wrong output.Most of the APT organizations are senior hacker organizations sponsored by the government,and they have sufficient resources.Therefore,it is possible for APT organizations to evade detection models by making small changes to attack characteristics while ensuring normal attack implementation.This paper mainly studies the above two issues,and the specific work is as follows:1.In order to detect unknown APT attacks,this paper designs a new APT detection method based on network flow.This work is inspired from two observations that different APT attacks share the same intrusion tools and services,and the unknown malware evolves from existing one.Therefore,the malwares of different groups have some shared attributes that are not easy to find,which leads to some hidden shared features in the network flows between the malware and the C?C server in different attacks.Based on this,this paper proposes a method to detect the hidden C?C channel of unknown APT attacks.First,deep learning techniques are used to mine the shared network flow features from the known multi-class attack flows.Later,an appropriate classifier chosen to detect the C?C network flow.Finally,we test our method on public available dataset.The experimental results show that this method can achieve up to F1 score of 0.968 when dealing with unknown malicious network flows.This will help discover unknown APT attacks.2.Existing work has proved that adding adversarial samples in the training set can improve the robustness of the model against adversarial samples.Based on this,this paper proposes to use a generative adversarial network(GAN)to adversarially train the APT detection model,thereby improving the robustness of the detection model to adversarial examples.This method use the generative model to quickly generate adversarial samples,the trained APT detection model is used as the discriminant model,and the robustness of the detection model to the adversarial samples is improved by adversarial training between the generator and the detection model.The experimental results show that compared with the original model,the F1 score of the detection model after adversarial training drops by 0.025 on the original sample,but the F1 score of the adversarial samples generated by GAN and the adversarial samples generated by Wu's method is increased by 0.918 and 0.12,respectively.This shows that the APT detection model after GAN adversarial training can significantly improve the robustness to adversarial samples.