Tongxin xuebao (Mar 2024)
Construction of advanced persistent threat attack detection model based on provenance graph and attention mechanism
Abstract
In response to the difficulty of existing attack detection methods in dealing with advanced persistent threat (APT) with longer durations, complex and covert attack methods, a model for APT attack detection based on attention mechanisms and provenance graphs was proposed.Firstly, provenance graphs that described system behavior based on system audit logs were constructed.Then, an optimization algorithm was designed to reduce the scale of provenance graphs without sacrificing key semantics.Afterward, a deep neural network (DNN) was utilized to convert the original attack sequence into a semantically enhanced feature vector sequence.Finally, an APT attack detection model named DAGCN was designed.An attention mechanism was applied to the traceback graph sequence.By allocating different weights to different positions in the input sequence and performing weight calculations, sequence feature information of sustained attacks could be extracted over a longer period of time, which effectively identified malicious nodes and reconstructs the attack process.The proposed model outperforms existing models in terms of recognition accuracy and other metrics.Experimental results on public APT attack datasets show that, compared with existing APT attack detection models, the accuracy of the proposed model in APT attack detection reaches 93.18%.
