Semantic Analysis Enhanced Detection Against Advanced Persistent Threat

In recent years,as the development and change of cyber attacks,the security situation in cyberspace has been threatened more and more seriously.Advanced Persistent Threat(APT)is currently one of the fastest growing network attacks.It frequently attacks the important departments such as the military industries and governments.Thus,it poses a serious threat to cyberspace security and even national security.However,it is a great challenge to detect APT attacks,since APT is an emerging type of cyber-attacks which have the advancement,concealment and persistence.In this case,this dissertation aims to develop APT detection with no reliance on known APT attack template.In order to achieve this,based on the cybernetic intelligence methods,this dissertation proposes a machine learning detection method with causal correlation aided semantic analysis.This method aggregates the logs provided by the security information systems and it leverages the statistical Average Causal Effect(ACE)method to excavate the causal relationships between alert events autonomously.After that,the proposed method construct the alert-chain representing APT attack scenarios based on the causality.It further exploits the Latent Dirichlet Allocation(LDA)to model the semantic context of the alert-chains.This LDA model facilitates us to carry out the semantic analysis for capturing the latent attack intent.Then,the alert-chain with semantic auxiliary information is transformed into graph model,and the attack intention of alert-chain is extracted by deep learning method of Gated Graph Neural Network(GGNN)to identify APT attack scenarios.The main research contents are summarized as follows:1.An APT alert-chain construction method based on causality analysis is proposed.Firstly,the multi-source network security logs are collected.These collected network security logs are preprocessed into alert sequence by time.Then,the causal templates between two events are mined automatically from the alert sequence by means of the Average Causal Effect method,and based on the causal templates,the hyper-alerts composed of two causal alerts are formed.Finally,according to the causal transmission between hyper-alerts,alert-chains that can represent the whole APT attack scenarios are constructed.In addition,the log sets with APT attacks are emulated and the causal association alert-chain construction method is tested.The experiment shows that this method supports mining all the causal templates of APT attacks without any known APT attack templates,thus preliminarily forming APT attack scenarios.2.A semantic enhancement analysis method for APT detection is proposed.This solution constructs word-document model to the alert-chains formed by causal inference,and adopts LDA semantic analysis to mining the attack topics from alert-chains.It further removes alert-chain irrelevant to APT based on the unified semantic standard.Furthermore,semantic analysis provides auxiliary semantic properties for subsequent machine learning,which is available for machine learning to centrally process the high correlation alerts and improve the accuracy.Different APT attack log sets are emulated to experiment.From these experiments,the performances of this method are analyzed,and we also verify that LDA analysis can improve the precision of APT detection based on the alert-chain from causal association.3.A deep learning method is applied to identify APT attack scenarios.It embeds the time attribute and the semantic attribute from LDA into the alert-chain.Then a graph model is generated,so that the alert of each chain and the attack tactic dependencies between alerts are represented as graph model.Then deep learning method based on the graph neural network is used to transform the attack semantic of each alert into attack intention label for APT alert-chain.According to the attack intention label,it output the optimal APT attack sequence set,so as to get more precise APT attack scenarios.The emulated experimental results show that this method can identify APT alert-chain more precisely on the base of semantic enhancement.Finally,two existing methods are compared with the proposed method on the emulated set.The comparative experiment shows that the solution of semantic analysis enhanced detection against APT can not only find APT attack chains,but also locate attack steps more accurately and it has better performance.In this dissertation,the APT attack log set is emulated by the log set provided by a cyber security company,and the proposed semantic analysis enhanced detection method against advanced persistent threat is verified.The proposed method constructs alertchain based on self-mining causality and assists semantic analysis to identify the APT attack intention of alert-chain by the graph neural network.The experiment results show that the proposed method can effectively cope with the security detection challenges brought by the volatile,covert and slow multistage attack patterns of APT attack.