A Real-time APT Attack Detection Scheme Based on Fusion Provenance Graph in Private Clouds

• Published in: 2024 International Conference on Networking and Network Applications (NaNA) pp. 490 - 495
• Main Authors: Li, Han, Yang, Chuanwei, Zha, Baitong, Liu, Lifan, Zhang, Zhiwei, Zhong, Shuo
• Format: Conference Proceeding
• Language: English
• Published: IEEE 09.08.2024
• Subjects: APT Attack Detection; Attention Mechanism; Cloud computing; Data Fusion; Feature extraction; Private Clouds; Provenance Graph; Real-time systems; Redundancy; Semantics; Stability analysis; Vectors
• DOI: 10.1109/NaNA63151.2024.00087

In recent years, with the advancement of cyber space attack and defense technologies, advanced persistent threats have become one of the biggest threats to modern computing environments due to their unique high stealthiness and strong persistence. The characteristics of data redundancy in private clouds lead to the construction of provenance graphs from low-dimensional system logs being excessively large, making it difficult to model the system and focus on locating malicious behavior. Therefore, we propose a real-time APT attack detection method for private clouds, which aggregates low-dimensional information using high-dimensional semantic platform information. It extracts real-time provenance graphs through fast feature extraction methods for real-time detection. Then, by converting the causal relationships in the dynamic fusion prvenance graph into fixed-length feature vectors using a hash-based feature extraction method, it utilizes a time-series recurrent neural network to extract temporal relationships. By introducing a local attention mechanism with a window parameter, we simultaneously focus on global temporal relationships and behavioral connections within the window, achieving effective detection of APT attacks. Experimental results show that compared to existing real-time APT attack detection solutions, our method improves the accuracy of APT attack detection by 5.94%.