中圖分類號： TP319
文獻標識碼： A
DOI： 10.19358/j.issn.2097-1788.2022.04.008
引用格式： 羅漢新，王金雙，伍文昌. 基于溯源圖節點級別的APT檢測[J].網絡安全與數據治理，2022，41(4)：49-55.

Detecting advanced persistent threats through provenance graph in node level

Abstract： Traditional intrusion detection systems cannot cope with the increasing number and sophistication of cyberattacks such as advanced persistent threats(APT). Because they may not detect stealthy threat incidents for several months and have a high false-positive rate. Recent studies propose leveraging provenance data to detect threats in a host. Provenance graph is a directed acyclic graph constructed from provenance data. However, previous studies, which extracted features of the whole provenance graph, were not sensitive to the small number of threat-related entities(nodes), so it is still difficult to identify and locate the real attack entities. We propose a real-time detection method in node level. The benign nodes are clustered into clusters using K-Means and silhouette coefficient methods. An node is considered abnormal if it does not fit into any of the model′s clusters. Unicorn SC-2 and DARPA TC datasets are used to evaluate this method. The evaluation shows that this method achieves 95.83% accuracy and can accurately locate the positions of anomalous nodes.

Key words : advanced persistent threats(APT)；intrusion detection；machine learning；provenance graph