Tongxin xuebao (Feb 2024)
APT attack threat-hunting network model based on hypergraph Transformer
Abstract
To solve the problem that advanced persistent threat (APT) in the Internet of things (IoT) environment had the characteristics of strong concealment, long duration, and fast update iterations, it was difficult for traditional passive detection models to quickly search, a hypergraph Transformer threat-hunting network (HTTN) was proposed.The HTTN model had the function of quickly locating and discovering APT attack traces in IoT systems with long time spans and complicated information concealment.The input cyber threat intelligence (CTI) log graph and IoT system kernel audit log graph were encoded into hypergraphs by the model, and the global information and node features of the log graph were calculated through the hypergraph neural network (HGNN) layer, and then they were extracted for hyperedge position features by the Transformer encoder, and finally the similarity score was calculated by the hyperedge, thus the threat-hunting of APT was realized in the network environment of the Internet of things system.It is shown by the experimental results in the simulation environment of the Internet of things that the mean square error is reduced by about 20% compared to mainstream graph matching neural networks, the Spearman level correlation coefficient is improved by about 0.8%, and improved precision@10 is improved by about 1.2% by the proposed HTTN model.
