| Due to the profound impact of the Stuxnet attack event,APT(Advanced Persistent Threat)has attracted universal attention all over the world.APT attack has the characteristics of concealment,low frequency and high technology integration,but there are still many technical difficulties in APT attack detection and attribution.In this paper,traditional machine learning and deep learning techniques are used to analyze the intrusion detection algorithm and APT attack attribution.The content mainly includes:(1)Automatic Feature Selection and Ensemble Classifier for Intrusion Detection:Intrusion Detection algorithm is one of the technologies for discovering the various stage of APT attacks,and can provide the source entry for the attack attribution analysis.By comparing various feature selection techniques and classification decision algorithms,this paper proposes an intrusion detection framework that uses hybrid feature selection and ensemble classification to improve the robustness of parameters and models.Experiments were performed on datasets NSL-KDD and CICIDS2018.The results show that this method has high Accuracy and low False Positive Rate.(2)APT attack attribution analysis based on deep learning: the goal of APT attack attribution is to find the attacker,attack path and attack intention,and then finally find the attack organization.Based on the provenance graph generated by log type traceability data,this paper uses a quad(subject,action,object,timestamp)to construct the attack and non-attack events,and the non-attack sequences composed of related events are undersampled to achieve the balance of the sequences.Finally,different deep learning models are introduced to realize automatic identification of attack entities.The model is tested on real APT datasets.Experimental results show that the bidirectional Long Shortterm Memory Network has high Precision,Recall rate and F1 score in attack entity identification,and can accurately recover the attack path. |
PDF Full Text Request