一种基于DBN-SVDD的APT攻击检测方法
A Method of APT Attack Detection Based on DBN-SVDD

作者: 刘飞帆 * , 李 媛 :武汉大学计算机学院,湖北 武汉; 夏 飞 :国网江苏省电力公司信息通信分公司,江苏 南京; 周 静 :北京汇通金财信息科技有限公司,北京;

关键词: 高级持续性威胁深度学习数据挖掘半监督学习方法Advanced Persistent Threat Deep Learning Data Mining Semi-Supervised Learning

摘要:
由于高级持续性威胁(Advanced Persistent Threat, APT)常用于窃取企业核心资料且带来极其恶劣的影响而引起高度关注。因为APT攻击的攻击方法是对特定的攻击目标长期进行持续性网络攻击,具有极高的隐蔽性、潜伏性等特点;所以传统检测技术无法进行有效识别。目前针对APT攻击的检测方案有沙箱方案、网络异常检测方案、全流量方案这三种检测方案,然而现有的APT攻击检测方法中存在检测准确性较低、需要大量经过标记的样本等缺点。本文提出一种基于深度学习的网络入侵检测模型(DBN-SVDD),该方法利用DBN进行结构降维、提高检测效率,再利用SVDD对数据集进行识别检测。在NSL-KDD数据集的实验结果表明,该方法的检测率可以达到93.71%。该方法具有无人监督、无需大量标记样本、可以有效处理高维数据等特点,能够有效地应用于APT攻击检测中。

Abstract: Advanced Persistent Threat (APT) causes high attention for it is frequently used to steal enter-prise core data and bring about extremely harsh effects. The APT attack adopts the attack mode of persistent network attack for a long time, and it has the characteristics of high concealment and latency; therefore, the traditional detection technology cannot be effectively identified. At present, the detection scheme for APT attack has three schemes: sandbox scheme, network anomaly detection scheme and full flow scheme. However, the existing APT attack detection method has low accuracy in the detection, a need for large numbers of marked samples and other shortcomings. In this paper, a network intrusion detection model (DBN-SVDD) based on depth learning is proposed by using the network intrusion detection scheme. This method uses DBN to reduce the structure dimension and improve the detection efficiency. Then, the SVDD is used to detect the data set. The experimental results of NSL-KDD dataset show that the detection rate of this method is high; the method has unmanned supervision; and it can effectively deal with high-dimensional data and so on. It can be effectively applied to APT attack detection.

文章引用: 刘飞帆 , 李 媛 , 夏 飞 , 周 静 (2017) 一种基于DBN-SVDD的APT攻击检测方法。 计算机科学与应用, 7, 1146-1155. doi: 10.12677/CSA.2017.711129

参考文献

[1] Chen, P., Desmet, L. and Huygens, C. (2014) A Study on Advanced Persistent Threats. Lecture Notes in Computer Science, 8735, 63-72.
https://doi.org/10.1007/978-3-662-44885-4_5

[2] Virvilis, N. and Gritzalis, D. (2013) The Big Four—What We Did Wrong in Advanced Persistent Threat Detection? IEEE Eighth International Conference on Availability, Reliability and Security, Regensburg, 2-6 September 2013, 248-254.
https://doi.org/10.1109/ARES.2013.32

[3] Yang, G., Tian, Z. and Duan, W. (2015) The Prevent of Advanced Persistent Threat. Journal of Chemical & Pharmaceutical Research, 6, 572-576.

[4] Giura, P. and Wang, W. (2013) Using Large Scale Distributed Computing to Unveil Advanced Persistent Threats. Science, 1, 93-105.

[5] 马琳. 基于大数据的APT攻击方法和检测方法[J]. 计算机光盘软件与应用, 2014(10): 91.

[6] 付钰, 李洪成, 吴晓平, 等. 基于大数据分析的APT攻击检测研究综述[J]. 通信学报, 2015, 36(11): 1-14.

[7] Leung, K. and Leckie, C. (2007) Unsupervised Anomaly Detection in Network Intrusion Detection Using Clusters. Twenty-Eighth Australasian Computer Science Conference on Computer Science, Newcastle, January 2005, 333-342.

[8] 郑黎明, 邹鹏, 韩伟红, 等. 基于多维熵值分类的骨干网流量异常检测研究[J]. 计算机研究与发展, 2012, 49(9): 1972-1981.

[9] 李柏生, 林亚平, 鄢喜爱. 基于朴素贝叶斯网络的入侵检测分析[J]. 网络安全技术与应用, 2007(9): 23-25.

[10] 史长琼, 王大卫, 黄辉, 等. 基于粗糙集与小生境GA的网络入侵规则提取[J]. 计算机工程与应用, 2009, 45(5): 110-112.

[11] Erman, J., Mahanti, A., Arlitt, M., et al. (2007) Semi-Supervised Network Traffic Classification. ACM SIGMETRICS Performance Evaluation Review, 35, 369-370.

[12] Ashfaq, R.A.R., Wang, X.Z., Huang, J.Z., et al. (2016) Fuzziness Based Semi-Supervised Learning Approach for Intrusion Detection System. Information Sciences, 378, 484-497.

[13] Yasami, Y. and Mozaffari, S.P. (2010) A Novel Unsupervised Classification Approach for Network Anomaly Detection by k-Means Clustering and ID3 Decision Tree Learning Methods. The Journal of Supercomputing, 53, 231-245.
https://doi.org/10.1007/s11227-009-0338-x

[14] Salama, M.A., Eid, H.F., Ramadan, R.A., et al. (2011) Hybrid Intelligent Intrusion Detection Scheme. In: Gaspar-Cunha, A., Takahashi, R., Schaefer, G. and Costa, L., Eds., Soft Computing in Industrial Applications. Advances in Intelligent and Soft Computing, Vol. 96, Springer, Berlin, Heidelberg, 293-303.

[15] Rubinstein, B.I.P., Nelson, B., Huang, L., et al. (2009) Stealthy Poisoning Attacks on PCA-Based Anomaly Detectors. ACM SIGMETRICS Performance Evaluation Review, 37, 73-74.
https://doi.org/10.1145/1639562.1639592

[16] Hinton, G.E. and Salakhutdinov, R.R. (2006) Reducing the Dimensionality of Data with Neural Networks. Science, 313, 504-507.
https://doi.org/10.1126/science.1127647

[17] Hinton, G.E., Osindero, S. and Teh, Y.-W. (2006) A Fast Learning Algorithm for Deep Belief Nets. Neural Computation, 18, 1527-1554.
https://doi.org/10.1162/neco.2006.18.7.1527

[18] Liu, Y., Zhou, S. and Chen, Q. (2011) Discriminative Deep Belief Networks for Visual Data Classification. Pattern Recognition, 44, 2287-2296.
https://doi.org/10.1016/j.patcog.2010.12.012

[19] Hinton, G.E. (2002) Training Products of Experts by Minimizing Contrastive Divergence. Neural Computation, 14, 1771-1800.
https://doi.org/10.1162/089976602760128018

[20] 阜艳, 李霆, 黄日辉, 等. 一种改进的支持向量数据描述算法[J]. 五邑大学学报(自然科学版), 2008, 22(2): 52-56.

[21] Larochelle, H., Bengio, Y., Louradour, J. and Lamblin, P. (2009) Exploring Strategies for Training Deep Neural Networks. Journal of Machine Learning Research, 10, 1-40.

[22] 张新有, 曾华燊, 贾磊. 入侵检测数据集KDD CUP99研究[J]. 计算机工程与设计, 2010, 31(22): 4809-4812.

[23] Neter, J., Kutner, M.H., Nachtsheim, C.J., et al. (1996) Applied Linear Statistical Models. Irwin, Chicago.

[24] 杨昆朋. 基于深度信念网络的入侵检测模型[J]. 现代计算机: 普及版, 2015(1):10-14.

分享
Top