Research On The Method Of APT Attack Traffic Anomaly Detection Based On Machine Learning

Against the backdrop of building a digital and smart China,the information industry has become a pillar industry for the country’s economic development.However,it has also brought challenges in terms of cybersecurity.Criminals use network attack techniques to wreak havoc and invade,causing serious losses and threats to individuals,enterprises,and the country.Among many network attack techniques,APT attacks are particularly dangerous,covert,and long-lasting.China has been a long-term victim of APT attacks,which have posed significant challenges to our national and defense security.APT attacks have characteristics such as advanced,persistent,and threatening,making current APT attack detection face the following difficulties:(1)a lack of real APT attack traffic data.APT attack data is difficult to obtain,making it difficult for APT attack detection models to be effectively trained and optimized.(2)Non-standardized datasets.For APT attack detection,outdated intrusion detection datasets are still used,and the data has not been updated promptly.(3)Imperfect models.Models are difficult to adapt to high-dimensional traffic data,and most models cannot effectively extract features and model high-dimensional traffic data,resulting in high false negative and false positive rates.To address the above key issues,this paper takes APT attack detection as the research background,combined with machine learning methods,and its main research work is as follows:(1)Dataset construction: Collect or capture traffic data from multiple sources,add traffic data with real APT attacks,and use traffic mixing technology to combine them to construct a dataset named APT-CC,to improve dataset diversity and complexity.(2)Dataset optimization: Conduct in-depth analysis of the data,propose an optimization solution for the construction of the APT-CC dataset,use oversampling +undersampling mixing methods to solve the problem of imbalanced traffic data,and conduct feature selection and correlation analysis on the dataset.Use multiple models to train the dataset,test the quality of the dataset,and update the dataset promptly.(3)Model optimisation;This paper proposes a new variational self-coding-G aussian mixture(VAE-GMM)APT attack detection model,which consists of two parts,the generative network with compression and dimensionality reduction as the main purpose,and the estimation network using the idea of Gaussian mixture model for parameter updating,both of which are jointly trained and jointly optimised to redesign the loss function and help the model get rid of local optimum and improve the generalisation ability.Comparative experiments show that the VAE-GMM algorithm outperforms other models in terms of miss and false alarm rates,and improves recall by 13% and accuracy by 3% compared to the DAGMM model.