Research On Key Technologies Of Advanced Persistent Threat Attack Detection

Advanced Persistent Threat(APT)attack is a kind of complex attack with clear purposes and strong purposes.According to the published APT attack events,the APT attack steps follow the process of the kill chain,and its attack range continues to expand.Traditional intrusion detection systems can hardly achieve effective detection for the slow attack method.Therefore,the research on effective APT attack detection methods is of great significance.This thesis focuses on APT attack detection methods.The detection methods based on system logs and network traffic are efficient APT attack detection methods.APT attack detection method based on system logs has the problems in storing massive logs and complicated log correlation.Aiming at correlation analysis of massive logs,this thesis proposes the Provenance Graph GCN(PGGCN)method,which combines the provenance graph with the graph convolutional neural network model to detect APT attacks.The method constructs the provenance graph according to the system log and the classification strategy to realize the detection of APT attacks.In order to reduce the scale of the provenance graph,this thesis proposes a classification method,which divides the entities and events into different trust levels and confidentiality levels.Through the analysis of experimental results,the APT attack detection method proposed in this thesis is better than other deep learning models in terms of the accuracy and performance.APT attack detection method based on network traffic is faced with challenges in feature extraction and selection of effective features due to the lack of typical attack data.The feature of the traffic may depend on the previous adjacent traffic,and the memory network model can be used to better extract the dependencies that span a longer distance.Therefore,in response to the problem of feature selection,this thesis proposes C＿BLSTM(CNN-Bi LSTM)model to detect APT attacks.The method uses Convolutional Neural Network(CNN)combined with Bi-directional Long Short-Term Memory(Bi LSTM)model.Through the analysis of experimental results,the C＿BLSTM deep learning model can effectively classify APT attack IP and ordinary IP,and the model is more accurate than a single deep learning model and traditional machine learning model in terms of APT attack detection.