Research On APT Attack Traffic Detection Based On Deep Learning

The security situation in cyberspace has deteriorated in recent years,and network attacks,particularly Advanced Persistent Threat(APT),have emerged as one of the key concerns in internet.The long-term,concealed,and targeted characteristics of APT attacks make them ineffective in being identified by traditional networks anomaly detector.With the development of artificial intelligence and big data technologies,APT attacks can be identified through data collection,analysis and modelling of network traffic.Therefore,artificial intelligence technology will assist security operators in achieving network security situational awareness and enhancing security operations’ efficiency.In this thesis,we first examine the APT attack behavior.For the multi-stage features of APT attacks,an APT attack stage identification model based on network traffic is proposed.Combined with actual needs,the APT attack anomaly traffic data collection and processing system is designed and implemented.The specifics are as follows:(1)For the problem of APT attack monitoring and identification in largescale network traffic data scenarios,an APT attack stage identification method APTSID based on ensemble learning is proposed.The APTSID model consists of a two-stage model,in which the APT anomaly detection model based on convolutional neural network completes the identification of attack traffic,and the multi-stage identification model based on extreme gradient boosting(XGBoost)completes the identification of APT attack stages.Experiments are conducted on the model using the open dataset DAPT 2020.Compared with traditional techniques,the experimental results suggest that the proposed APTSID model performs better in the APT attack stage identification task and significantly improves the recall rate.Among them,the recall rate of APT anomaly record is about 95%,and the sample detection rate of lateral movement stage is improved about 15% compared with other models.(2)Design and implementation of a traffic log data collection and processing system,including modules for traffic data collection,data preprocessing,data distribution,and experimental environment configuration.Data collection module that allows access to data sources via Kafka or API.Data pre-processing module based on the Flink streaming data processing framework for upstream data extraction,transformation,and loading(ETL).For researchers to view,data publishing displays standardized data fields.Based on Linux Container technology,an experimental environment configuration module provides environmental preconfiguration for traffic analysis model training,effectively realizing closed-loop use and management of real traffic data.This system is applied to by the Henan Province Education Computer Emergency Readiness Team(HERCERT)to establish an end-to-end solution for ETL processing of network traffic in scientific research scenarios.