计算机科学 ›› 2020, Vol. 47 ›› Issue (1): 281-286.doi: 10.11896/jsjkx.181102103

• 信息安全 • 上一篇    下一篇

基于GAN-LSTM的APT攻击检测

刘海波,武天博,沈晶,史长亭   

  1. (哈尔滨工程大学计算机科学与技术学院 哈尔滨150000)
  • 收稿日期:2018-11-15 发布日期:2020-01-19
  • 通讯作者: 沈晶(shenjing@hrbeu.edu.cn)
  • 基金资助:
    黑龙江省自然科学基金(F2018011);中央高校基本科研业务费专项资金(HEUCFP201808,HEUCFP201838)

Advanced Persistent Threat Detection Based on Generative Adversarial Networks and Long Short-term Memory

LIU Hai-bo,WU Tian-bo,SHEN Jing,SHI Chang-ting   

  1. (College of Computer Science and Technology,Harbin Engineering University,Harbin 150000,China)
  • Received:2018-11-15 Published:2020-01-19
  • About author:LIU Hai-bo,born in 1976,Ph.D,asso-ciate professor,is a member of China Computer Federation (CCF).His research interests include intelligence computing and information security;SHEN Jing,born in 1969,Ph.D,associate professor,is member of China Computer Federation (CCF).Her research interests include machine learning.
  • Supported by:
    This work was supported by the Natural Science Foundation of Heilongjiang Province of China (F2018011),Fundamental Research Funds for the Central Universities of Ministry of Education of China (HEUCFP201808,HEUCFP201838).

摘要: 高级持续性威胁(Advanced Persistent Threat,APT)带来的危害日趋严重。传统的APT检测方法针对的攻击模式比较单一,处理的APT攻击的时间跨度相对较短,没有完全体现出APT攻击的时间序列性,因此当攻击数据样本较少、攻击持续时间较长时准确率很低。为了解决这个问题,文中提出了基于生成式对抗网络(Generative Adversarial Netwokrs,GAN)和长短期记忆网络(Long Short-term Memory,LSTM)的APT攻击检测方法。一方面,基于GAN模拟生成攻击数据,为判别模型生成大量攻击样本,从而提升模型的准确率;另一方面,基于LSTM模型的记忆单元和门结构保证了APT攻击序列中存在相关性且时间间距较大的序列片段之间的特征记忆。利用Keras开源框架进行模型的构建与训练,以准确率、误报率、ROC曲线等技术指标,对攻击数据生成和APT攻击序列检测分别进行对比实验分析。通过生成式模型生成模拟攻击数据进而优化判别式模型,使得原有判别模型的准确率提升了2.84%,与基于循环神经网络(Recurrent Neural Network,RNN)的APT攻击序列检测方法相比,文中方法在检测准确率上提高了0.99个百分点。实验结果充分说明了基于GAN-LSTM的APT攻击检测算法可以通过引入生成式模型来提升样本容量,从而提高判别模型的准确率并减少误报率;同时,相较于其他时序结构,利用LSTM模型检测APT攻击序列有更好的准确率和更低的误报率,从而验证了所提方法的可行性和有效性。

关键词: 网络安全, 博弈论, 高级持续性威胁, 生成式对抗网络, 长短期记忆网络

Abstract: Advanced persistent threat (APT) brings more and more serious harm.Traditional APT detection methods have a lower accuracy when the attack data samples are fewer and the attack duration is longer.To solve this problem,an ATP attack detection method based on generative adversarial networks (GAN) and long short-term memory (LSTM) was proposed.On the one hand,this method generates attack data based on GAN simulation,generates a large number of attack samples for discriminant model,and improves the accuracy of the model.On the other hand,the memory unit and gate structure based on LSTM modelguarantee the feature memory among the sequence fragments which have correlation and large time interval in APT attack sequence.Keras open source framework was used to construct and train the model,and Accuracy,FPR,ROC curve were used as metric to compare,test and analyze the methods of attack data generation and APT attack sequence detection.By generating simulated attack data and optimizing the discriminant model,the accuracy of the original discriminant model is improved by 2.84%,and the accuracy of APT attack sequence detection is improved by 0.99% comparing with the recurrent neural network (RNN) model.The experimental results fully show that APT attack detection algorithm based on GAN-LSTM can improve the accuracy of discriminant model and reduce false alarm rate by introducing generative model to increase sample size,and the detection of APT attack sequence using LSTM model has better accuracy and lower false alarm rate than other temporal structures,which shows the feasibility and validity of the proposed method.

Key words: Network security, Game theory, Advanced persistent threat, Generative adversarial networks, Long short-term memory

中图分类号: 

  • TP393
[1]ZENG W L,LI G H,CHEN J W.A Model of Network Security Protection System Based on APT Intrusion and Its Key Technologies[J].Journal of Modern Electronics Technology,2013,36(17):78-80.
[2]LIU X.APT Attack Detection and Defense in Data Context [J].Network and Information Engineering,2014,30(2):80-81.
[3]LI F H.Research on Anti-APT Attack Scheme of High-level Security Network [J].Information Network Security,2014(9):109-114.
[4]GOODFELLOW I J.Generative Adversarial Nets[C]∥Ad- vances in Neural Information Processing Systems.2014:2672-2680.
[5]SALIMANS T,GOODFELLOW I.Improved Techniques for Training GANs[J].arXiv:1606.03498.
[6]RADFORD A.Unsupervised Representation Learning with Deep Convolutional Generative Adversarial Networks [J].ar-Xiv:1511.06434.
[7]MIRZA M.Conditional Generative Adversarial Nets[J].arXiv:1411.1784v1.
[8]GOODFELLOW I.NIPS 2016 Tutorial:Generative Adversarial Networks[J].arXiv:1701.00160.
[9]ARORA S,GE R,LIANG Y Y,et al.Generalization and Equi-librium in Generative Adversarial Nets[J].arXiv:1703.00573.
[10]GULRAJANI I,AHMED F,ARJOVSKY M,et al.Improved Training of Wasserstein GANs[J].arXiv:1704.00028v3.
[11]HOCHREITER S,SCHMIDHUBER J.Long short-term memory[J].Springer Berlin Heidelberg,2012,8(8):1735-1780.
[12]SOCHER R,PERELYGIN A,WU J Y,et al.Recursive deep models for semantic composotionality over a sentiment treebank[C]∥Proc of the Conference on Empirical Methods in Natural Language Processing.Seattle,USA:ACL,2013:1631-1642.
[13]LECUN Y,BENGIO Y,HINTON G.Deep learning[J].Na- ture,2015,521(7553):436-444.
[14]CHO K,VAN MERRIENBOER B,BAHDANAU D,et al.On the properties of neural machine translation:encoderdecoder approaches[J].arXiv:1409.1259v2.
[15]DONG C,CHEN C L,HE K,et al.Image super-resolution using deep convolutional networks[J].IEEE Transactions on Pattern Analysis & Machine Intelligence,2016,38(2):295-307.
[16]MNIH V,HEESS N,GRAVES A.Recurrent models of visual attention[M]∥Advances in Neural Information Processing Systems.Massachusetts:MIT Press,2014:2204-2212.
[17]BAHDANAU D,CHO K,BENGIO Y.Neural machine translation by jointly learning to align and translate[J].arXiv:1409.0473.
[18]MIKOLOV T,CHEN K,CORRADO G,et al.Efficient estimation of word representations in vector space[J].arXiv:1301.3781.
[1] 毛莺池, 周彤, 刘鹏飞. 基于延迟接受的多用户任务卸载策略[J]. 计算机科学, 2021, 48(1): 49-57.
[2] 赵佳琦, 王瀚正, 周勇, 张迪, 周子渊. 基于多尺度与注意力特征增强的遥感图像描述生成方法[J]. 计算机科学, 2021, 48(1): 190-196.
[3] 张玉帅, 赵欢, 李博. 基于BERT和BiLSTM的语义槽填充[J]. 计算机科学, 2021, 48(1): 247-252.
[4] 崔彤彤, 王桂玲, 高晶. 基于1DCNN-LSTM的船舶轨迹分类方法[J]. 计算机科学, 2020, 47(9): 175-184.
[5] 胡鹏程, 刁力力, 叶桦, 仰燕兰. 基于人工特征与深度特征的DGA域名检测算法[J]. 计算机科学, 2020, 47(9): 311-317.
[6] 吕亿林, 田宏韬, 高建伟, 万怀宇. 结合百科知识与句子语义特征的关系抽取方法[J]. 计算机科学, 2020, 47(6A): 40-44.
[7] 陈晋音, 蒋焘, 郑海斌. 基于信噪比分级的信号调制类型识别[J]. 计算机科学, 2020, 47(6A): 310-317.
[8] 白雪, 努尔布力, 王亚东. 网络安全态势感知研究现状与发展趋势的图谱分析[J]. 计算机科学, 2020, 47(6A): 340-343.
[9] 包峻波, 闫光辉, 李俊成. 结合非完全信息博弈的SIR传播模型[J]. 计算机科学, 2020, 47(6): 230-235.
[10] 梁俊斌, 张敏, 蒋婵. 社交传感云安全研究进展[J]. 计算机科学, 2020, 47(6): 276-283.
[11] 白玮, 潘志松, 夏士明, 成昂轩. 基于遗传算法的网络安全配置自动生成框架[J]. 计算机科学, 2020, 47(5): 306-312.
[12] 黄虹玮,刘玉娇,沈卓恺,张少伟,陈志敏,高阳. 基于深度学习网络模型的端到端航迹关联[J]. 计算机科学, 2020, 47(3): 200-205.
[13] 陈梦蓉,林英,兰微,单今朝. 基于“奖励制度”的DPoS共识机制改进[J]. 计算机科学, 2020, 47(2): 269-275.
[14] 段建勇, 游世薪, 张梅, 王昊. 基于多特征融合的关键词抽取[J]. 计算机科学, 2020, 47(11A): 73-77.
[15] 翟永, 刘津, 刘磊, 陈杰. 基于博弈论的空间数据中心私有云资源分配管理分析[J]. 计算机科学, 2020, 47(11A): 373-379.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
[1] 雷丽晖,王静. 可能性测度下的LTL模型检测并行化研究[J]. 计算机科学, 2018, 45(4): 71 -75 .
[2] 孙启,金燕,何琨,徐凌轩. 用于求解混合车辆路径问题的混合进化算法[J]. 计算机科学, 2018, 45(4): 76 -82 .
[3] 张佳男,肖鸣宇. 带权混合支配问题的近似算法研究[J]. 计算机科学, 2018, 45(4): 83 -88 .
[4] 伍建辉,黄中祥,李武,吴健辉,彭鑫,张生. 城市道路建设时序决策的鲁棒优化[J]. 计算机科学, 2018, 45(4): 89 -93 .
[5] 史雯隽,武继刚,罗裕春. 针对移动云计算任务迁移的快速高效调度算法[J]. 计算机科学, 2018, 45(4): 94 -99 .
[6] 周燕萍,业巧林. 基于L1-范数距离的最小二乘对支持向量机[J]. 计算机科学, 2018, 45(4): 100 -105 .
[7] 刘博艺,唐湘滟,程杰仁. 基于多生长时期模板匹配的玉米螟识别方法[J]. 计算机科学, 2018, 45(4): 106 -111 .
[8] 耿海军,施新刚,王之梁,尹霞,尹少平. 基于有向无环图的互联网域内节能路由算法[J]. 计算机科学, 2018, 45(4): 112 -116 .
[9] 崔琼,李建华,王宏,南明莉. 基于节点修复的网络化指挥信息系统弹性分析模型[J]. 计算机科学, 2018, 45(4): 117 -121 .
[10] 王振朝,侯欢欢,连蕊. 抑制CMT中乱序程度的路径优化方案[J]. 计算机科学, 2018, 45(4): 122 -125 .