ABSTRACT
Advanced Persistent Threat (APT) attack is one of the most common and costly destructive attacks on the target system. This attack has become a challenge for companies, governments, and organizations’ information security systems. In recent years, methods for detecting and preventing APT attacks that use machine learning or deep learning algorithms to analyze indications and anomalous behaviors in network traffic have become popular. However, due to a lack of typical data from attack campaigns, the APT attack detection approach that uses behavior analysis and evaluation approaches encounter many issues. Network traffic analysis to detect a common APT attack is one of the solutions for dealing with this situation. This paper develops efficient and flexible deep learning models. To analyze huge network traffic, a hybrid deep learning approach that builds two models is used: Stacked Autoencoder with Long Short-Term Memory (SAE-LSTM) and Convolutional Neural Networks with Long Short-Term Memory Network (CNN-LSTM) to detect indications of APT attacks. A reliable dataset ’DAPT2020’ that covers all APT stages is used to evaluate the proposed approach. The experimental results demonstrate that the hybrid deep learning approach proved to give higher performance than the individual deep learning model in detecting malicious behavior in each APT stage.
Supplemental Material
Available for Download
Presentation slides
- Adel Alshamrani, Sowmya Myneni, Ankur Chowdhary, and Dijiang Huang. 2019. A Survey on Advanced Persistent Threats: Techniques, Solutions, Challenges, and Research Opportunities. IEEE Communications Surveys Tutorials 21, 2 (2019), 1851–1877. https://doi.org/10.1109/COMST.2019.2891891Google ScholarCross Ref
- Ons Aouedi, Kandaraj Piamrat, and Dhruvjyoti Bagadthey. 2020. A Semi-supervised Stacked Autoencoder Approach for Network Traffic Classification. In 2020 IEEE 28th International Conference on Network Protocols (ICNP). 1–6. https://doi.org/10.1109/ICNP49622.2020.9259390Google ScholarCross Ref
- Gbadebo Ayoade, Khandakar Akbar, Pracheta Sahoo, Yang Gao, Anoop Singhal, Kangkook Jee, Latifur Khan, and Anmol Agarwal. 2020. Evolving Advanced Persistent Threat Detection Using Provenance Graph and Metric Learning. IEEE International Conference on Communications and Network Security (CNS 2020), Avignon, FR. https://doi.org/10.1109/CNS48642.2020.9162264Google ScholarCross Ref
- Tero Bodström and Timo Hämäläinen. 2019. A Novel Deep Learning Stack for APT Detection. Applied Sciences 9, 6 (2019). https://doi.org/10.3390/app9061055Google ScholarCross Ref
- Do Xuan Cho and Ha Hai Nam. 2019. A Method of Monitoring and Detecting APT Attacks Based on Unknown Domains. Procedia Computer Science 150 (2019), 316–323. https://doi.org/10.1016/j.procs.2019.02.058 Proceedings of the 13th International Symposium “Intelligent Systems 2018” (INTELS’18), 22-24 October, 2018, St. Petersburg, Russia.Google ScholarDigital Library
- Tran Thanh Dien, Sang Hoai Luu, Nguyen Thanh-Hai, and Nguyen Thai-Nghe. 2020. Deep Learning with Data Transformation and Factor Analysis for Student Performance Prediction. International Journal of Advanced Computer Science and Applications 11, 8(2020). https://doi.org/10.14569/IJACSA.2020.0110886Google ScholarCross Ref
- Hope Nkiruka Eke, Andrei Petrovski, and Hatem Ahriz. 2019. The Use of Machine Learning Algorithms for Detecting Advanced Persistent Threats. In Proceedings of the 12th International Conference on Security of Information and Networks (Sochi, Russia) (SIN ’19). Association for Computing Machinery, New York, NY, USA, Article 5, 8 pages. https://doi.org/10.1145/3357613.3357618Google ScholarDigital Library
- Nelly Elsayed, Zaghloul Saad Zaghloul, Sylvia Worlali Azumah, and Chengcheng Li. 2021. Intrusion Detection System in Smart Home Network Using Bidirectional LSTM and Convolutional Neural Networks Hybrid Model. arxiv:2105.12096 [cs.LG]Google Scholar
- Ibrahim Ghafir, Mohammad Hammoudeh, Vaclav Prenosil, Liangxiu Han, Robert Hegarty, Khaled Rabie, and Francisco J. Aparicio-Navarro. 2018. Detection of advanced persistent threat using machine-learning correlation analysis. Future Generation Computer Systems 89 (2018), 349–359. https://doi.org/10.1016/j.future.2018.06.055Google ScholarDigital Library
- Ibrahim Ghafir, Konstantinos G. Kyriakopoulos, Sangarapillai Lambotharan, Francisco J. Aparicio-Navarro, Basil Assadhan, Hamad Binsalleeh, and Diab M. Diab. 2019. Hidden Markov Models and Alert Correlations for the Prediction of Advanced Persistent Threats. IEEE Access 7(2019), 99508–99520. https://doi.org/10.1109/ACCESS.2019.2930200Google ScholarCross Ref
- Ibrahim Ghafir and Václav Přenosil. 2014. Advanced Persistent Threat Attack Detection: An Overview. International Journal of Advances in Computer Networks and Its Security (IJCNS) Volume 4(2014).Google Scholar
- Hao Hu, Yuling Liu, Hongqi Zhang, and Yuchen Zhang. 2018. Security Metric Methods for Network Multistep Attacks Using AMC and Big Data Correlation Analysis. Secur. Commun. Networks 2018 (2018), 5787102:1–5787102:14.Google Scholar
- Sekitoshi Kanai, Yasuhiro Fujiwara, Yuki Yamanaka, and Shuichi Adachi. 2018. Sigsoftmax: Reanalysis of the Softmax Bottleneck. In Advances in Neural Information Processing Systems, S. Bengio, H. Wallach, H. Larochelle, K. Grauman, N. Cesa-Bianchi, and R. Garnett (Eds.). Vol. 31. Curran Associates, Inc.https://proceedings.neurips.cc/paper/2018/file/9dcb88e0137649590b755372b040afad-Paper.pdfGoogle Scholar
- Aziz Meliboev, Jumabek Alikhanov, and Wooseong Kim. 2020. 1D CNN based network intrusion detection with normalization on imbalanced data. 2020 International Conference on Artificial Intelligence in Information and Communication (ICAIIC)(2020), 218–224.Google Scholar
- Sowmya Myneni, Ankur Chowdhary, Abdulhakim Sabur, Sailik Sengupta, Garima Agrawal, Dijiang Huang, and Myong Kang. 2020. DAPT 2020 - Constructing a Benchmark Dataset for Advanced Persistent Threats. (2020), 138–163.Google ScholarCross Ref
- Sun Pengfei, Liu Pengju, Li Qi, Liu Chenxi, Lu Xiangling, Hao Ruochen, and Chen Jinpeng. 2020. DL-IDS: Extracting features using CNN-LSTM hybrid network for intrusion detection system.Google Scholar
- A. Sagheer and Mostafa Kotb. 2019. Unsupervised Pre-training of a Deep LSTM-based Stacked Autoencoder for Multivariate Time Series Forecasting Problems. Scientific Reports 9(2019).Google Scholar
- David L Streiner and John Cairney. 2007. What’s under the ROC? An introduction to receiver operating characteristics curves. Canadian journal of psychiatry 12 (2007), 121–128.Google Scholar
- Jiayu Tan and Jian Wang. 2018. Detecting Advanced Persistent Threats Based on Entropy and Support Vector Machine. In Algorithms and Architectures for Parallel Processing. Springer International Publishing, 153–165.Google Scholar
- Aaron R. Tuor, Samuel P. Kaplan, Brian J. Hutchinson, Nicole M. Nichols, and Sean M. Robinson. 2018. Deep Learning for Unsupervised Insider Threat Detection in Structured Cyber Security Data Streams. https://www.osti.gov/biblio/1591618Google Scholar
- Xiaoying Wang, Qingjie Liu, Z. Pan, and Guoli Pang. 2020. APT attack detection algorithm based on spatio-temporal association analysis in industrial network. Journal of Ambient Intelligence and Humanized Computing (2020), 1–10.Google Scholar
- Cho Do Xuan and M. Dao. 2021. A novel approach for APT attack detection based on combined deep learning model. Neural Computing and Applications(2021), 1–14.Google Scholar
- Dingyu Yan, Feng Liu, and Kun Jia. 2019. Modeling an Information-Based Advanced Persistent Threat Attack on the Internal Network. In ICC 2019 - 2019 IEEE International Conference on Communications (ICC). 1–7. https://doi.org/10.1109/ICC.2019.8761077Google ScholarCross Ref
- Yu Yan, Lin Qi, Jie Wang, Yun Lin, and Lei Chen. 2020. A Network Intrusion Detection Method Based on Stacked Autoencoder and LSTM. In ICC 2020 - 2020 IEEE International Conference on Communications (ICC). 1–6. https://doi.org/10.1109/ICC40277.2020.9149384Google ScholarCross Ref
- Aaron Zimba, Hongsong Chen, Zhaoshun Wang, and Mumbi Chishimba. 2020. Modeling and detection of the multi-stages of Advanced Persistent Threats attacks based on semi-supervised learning and complex networks characteristics. Future Gener. Comput. Syst. 106 (2020), 501–517.Google ScholarDigital Library
Recommendations
Detection of advanced persistent threat using machine-learning correlation analysis
AbstractAs one of the most serious types of cyber attack, Advanced Persistent Threats (APT) have caused major concerns on a global scale. APT refers to a persistent, multi-stage attack with the intention to compromise the system and gain ...
Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed SystemsAdvanced Persistent Threat (APT) is one of the most serious types of cyber attacks, which is a new and more complex version of multistep attack. Within the APT life cycle, continuous communication between infected hosts and Command and Control (C&C) ...
A multi-layer approach for advanced persistent threat detection using machine learning based on network traffic
Advanced Persistent Threat (APT) is a dangerous network attack method that is widely used by attackers nowadays. During the APT attack process, attackers often use advanced techniques and tools, thus, causing many difficulties for information security ...
Comments