<p>With the rapid development of information technology, advanced persistent threats (APTs) have led to numerous serious data breaches and information system disruptions, causing immense losses to governments, businesses, and individuals. APT attack activities are usually carried out stealthily and often require analyzing large amounts of audited data, making it difficult to handle APT attacks promptly. Existing work attempts to improve the handling and detection efficiency of APT attacks based on limited audit data. However, these methods only increase the number of attack samples by finding suspicious entities through rules, ignoring the attack features contained in potential relations between entities. In this paper, we propose a potential relation prediction-based method (APMP) for APT attack detection in few-shot scenarios, which exploits potential relations to find ignored attack features. Specifically, APMP extracts the information between entities and relations in the attack sequence to train the prediction model. The prediction model can predict potential relations between entities and map them into the provenance graph. In this way, APMP complements the potential relations between entities in the provenance graph and captures the attack-related information between entities, improving the results of attack detection. We evaluate APMP using ten real-world public APT attack datasets. The average evaluation precision of APMP attack detection is 100%, with a recall rate of 93.18% and an F1-score of 96.30%. The results show that our proposal can effectively detect APT attacks in few-shot scenarios.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Apmp: APT attack detection in few-shot scenarios based on entity potential relations

  • Jiacheng Li,
  • Tong Li,
  • Runzi Zhang,
  • Zilong Wan,
  • Zhen Yang

摘要

With the rapid development of information technology, advanced persistent threats (APTs) have led to numerous serious data breaches and information system disruptions, causing immense losses to governments, businesses, and individuals. APT attack activities are usually carried out stealthily and often require analyzing large amounts of audited data, making it difficult to handle APT attacks promptly. Existing work attempts to improve the handling and detection efficiency of APT attacks based on limited audit data. However, these methods only increase the number of attack samples by finding suspicious entities through rules, ignoring the attack features contained in potential relations between entities. In this paper, we propose a potential relation prediction-based method (APMP) for APT attack detection in few-shot scenarios, which exploits potential relations to find ignored attack features. Specifically, APMP extracts the information between entities and relations in the attack sequence to train the prediction model. The prediction model can predict potential relations between entities and map them into the provenance graph. In this way, APMP complements the potential relations between entities in the provenance graph and captures the attack-related information between entities, improving the results of attack detection. We evaluate APMP using ten real-world public APT attack datasets. The average evaluation precision of APMP attack detection is 100%, with a recall rate of 93.18% and an F1-score of 96.30%. The results show that our proposal can effectively detect APT attacks in few-shot scenarios.