APT, known as Advanced Persistent Threat, is a difficult challenge for cyber defence. These threats make many traditional defences ineffective as the vulnerabilities exploited by these threats are insiders who have access to and are within the network. This paper proposes DeepTaskAPT, a heterogeneous task-tree based deep learning method to construct a baseline model based on sequences of tasks using a Long Short-Term Memory (LSTM) neural network that can be applied across different users to identify anomalous behaviour. Rather than applying the model to sequential log entries directly, as most current approaches do, DeepTaskAPT applies a process tree based task generation method to generate sequential log entries for the deep learning model. To assess the performance of DeepTaskAPT, we use a recently released synthetic dataset, DARPA Operationally Transparent Computing (OpTC) dataset and a real-world dataset, Los Alamos National Laboratory (LANL) dataset. Both of them are composed of host-based data collected from sensors. Our results show that DeepTaskAPT outperforms similar approaches e.g. DeepLog and the DeepTaskAPT baseline model demonstrate its capability to detect malicious traces in various attack scenarios while having high accuracy and low false-positive rates. To the best of knowledge this is the very first attempt of using recently introduced OpTC dataset for cyber threat detection.
翻译:APT, 称为高级持久性威胁, 是网络防御的难题。 这些威胁使得许多传统防御无效, 因为这些威胁所利用的脆弱性是内部内部人,他们可以进入网络, 并且是在网络内。 本文建议使用基于任务序列的多种任务- 深塔斯卡APT(TeepTest- TaskAPT), 建立一个基准模型, 使用长期短期内存(LSTM) 神经网络(LSTM), 在不同用户之间应用该模型来识别异常行为。 与大多数当前方法一样, DeepTaskaAPT直接将模型应用于连续的日志条目。 深塔斯卡APT采用基于流程的生成任务生成方法来生成深层学习模型的日志条目。 为了评估DeepTaskaAPT(Deep TestAPT)的绩效,我们使用最近发布的合成数据集、 DARPA 操作性透明计算(OPTC) 数据集和真实世界数据集(Los Alamos Alamos National) 国家实验室(LANL) 数据集。 它们都是从传感器收集到的数据。 我们的结果表明, 深塔克塔克特· AT 网络探测系统测测测测测测测测测测测测测程中, 最佳的模型能力是最近测测测测测测测测测测测测测测测测测的恶性率。
相关内容
微信扫码咨询专知VIP会员