Research On Advanced Persistent Threat Detection Based On Graph Computing

With the development of network technology,the quantity of assets and services exposed in cyberspace is increasing,and the frequency of security incidents is also increasing,all of which make the global cybersecurity situation increasingly complex.Advanced Persistent Threats(APT)as a new type of network attack adopts more advanced attack methods to continuously implement precise attacks on specific national strategic goals,infrastructure,and other targets,posing a huge challenge to cyberspace security.Traditional signature-based detection methods are inadequate in dealing with constantly evolving attack means.Abnormal-based detection focus on the normal behavior patterns has become a popular method for complex network attack detecting.However,the log data used to record these behaviors come from diverse sources and have different structures,and there are also complex spatiotemporal correlations between behaviors.Graph as a data structure capable of effectively representing complex relationships between entities,has been widely applied in link prediction,semantic network analysis and other fields.Constructing graphs to represent the behaviors in log data and mining the potential correlations between security events from different sources and periods enables a more comprehensive grasp of the behavior correlation among users,hosts,and even processes.Using graph computing-related techniques,the analysis of abnormal substructures,including abnormal nodes and abnormal edges,within the graph structure can detect abnormal behavior that different from normal behaviors,and then detect attacks.Therefore,in this paper,behavior correlation graphs and event object graphs are constructed using graph computing methods.Unsupervised methods in deep learning are combined to detect abnormal edges and nodes in the graph structure,thereby detecting attack behaviors.The main research contents and innovations are as follows:(1)An APT detection model based on behavior correlation graph is proposed.This model constructs a behavior correlation graph with process-level behavior as nodes by correlating a series of user operation behaviors,and the behavior correlations are represented using vectors.Then,an Autoencoder model is used for anomaly detection,detecting APT attacks by detecting the edges of the behavior correlation graph.Experiments on the LANL public dataset show that the model can achieve good accuracy.(2)An APT detection model based on event object graph is proposed.Firstly,the model constructs an event object graph with login events as nodes,and proposes a graph structure anomaly detection model Detec based on Graph Convolution Autoencoder.The encoder of Detec consists of a two-layer Graph Convolutional Networks to learn the latent representation of the structure and attribute in the event object graph,and then reconstruct the node attributes and structure of the event object graph through the structure reconstruction decoder and the attribute reconstruction decoder.Finally,the anomaly score of the node is used to identify the abnormal nodes.Experiments on the LANL public dataset verify the effectiveness of the model.