Compromised Host Detection In Advanced Persistent Threats Based On Temporal-spatial Behaviors

Advanced persistent threats(APT)is a kind of persistent system invasion with long invasion time,high concealment and its attack methods are diverse and changeable.APT has caused great damage to enterprises and government.Recent detection methods for this attack are mostly based on machine learning,deep learning and graph methods.These methods are used to analyze the relationship between system entities or the behavior of users and hosts.APT technology is constantly updated and changed,so it is important to propose a detection method for APT characteristics.However,most of the existing detection methods either analyze the scene and behavior at a certain time,or analyze the behavior change of a single host in time.In the face of ever-changing APT attacks,these methods lack consideration of the main characteristic behavior of APT,and do not take into account the two characteristics of APT,that is,temporal and spatial.In temporal,the daily behavior of normal hosts is relatively regular,it is difficult for the attacker to completely imitate the daily behavior of the compromised host,and the behavior pattern of the hacked host will produce a series of temporal anomalies compared with the daily behavior.In terms of spatial,the compromised host is most likely hacked by other compromised hosts,and the compromised host will often continue to infiltrate other hosts,and there will be inescapable connections between compromised hosts.Therefore,the method to detect APT compromised hosts based on temporal-spatial behaviors is proposed.The main work of this paper is as follows:1.We summarized the temporal-spatial characteristics of APT behavior and proposed a method to detect compromised hosts based on the temporal-spatial behavior of APT.2.We built a host authentication graph to analyze the host's authentication behavior,extracted the daily temporal features of the host from the graph,and built a host association graph to represent the authentication relationship and spatial connection between hosts.3.We used LSTM to process the characteristics of the host's daily authentication behavior,and learnt the authentication behavior patterns and differences of the host over a period of time.We used GAT to consider the influence of host neighbors in the association graph on its features and extracted the spatial features of hosts.4.We designed a neural network concatenated by LSTM and GAT to consider the temporal-spatial behavior in APT host authentication events.Using neural network to extract features had the advantage of automatically screening important features.Our experimental data was based on the public data set released by Los Alamos National Laboratory(LANL).The F1 score of the final experimental result reached0.961.At the same time,this paper also compared with similar works.The experimental results showed that the detection method based on APT temporal-spatial behaviors is helpful for APT detection.