中图分类号： TP319
文献标识码： A
DOI： 10.19358/j.issn.2097-1788.2022.04.008
引用格式： 罗汉新，王金双，伍文昌. 基于溯源图节点级别的APT检测[J].网络安全与数据治理，2022，41(4)：49-55.

Detecting advanced persistent threats through provenance graph in node level

Abstract： Traditional intrusion detection systems cannot cope with the increasing number and sophistication of cyberattacks such as advanced persistent threats(APT). Because they may not detect stealthy threat incidents for several months and have a high false-positive rate. Recent studies propose leveraging provenance data to detect threats in a host. Provenance graph is a directed acyclic graph constructed from provenance data. However, previous studies, which extracted features of the whole provenance graph, were not sensitive to the small number of threat-related entities(nodes), so it is still difficult to identify and locate the real attack entities. We propose a real-time detection method in node level. The benign nodes are clustered into clusters using K-Means and silhouette coefficient methods. An node is considered abnormal if it does not fit into any of the model′s clusters. Unicorn SC-2 and DARPA TC datasets are used to evaluate this method. The evaluation shows that this method achieves 95.83% accuracy and can accurately locate the positions of anomalous nodes.

Key words : advanced persistent threats(APT)；intrusion detection；machine learning；provenance graph