融合溯源图与知识图谱的APT攻击检测模型研究
网络安全与数据治理
安渊1,鲍永庆2
1.国家计算机网络应急技术处理协调中心西藏分中心; 2.中共西藏自治区委员会网络安全和信息化委员会办公室
摘要: 针对高级持续性威胁(APT)攻击所具有的隐蔽性强、持续时间长、多阶段渐进的特点,提出了一种融合动态系统行为溯源图与静态威胁情报知识图谱的检测模型。该模型使用时空图注意力网络联合建模攻击链中的空间依赖与时间演化关系。通过图注意力网络捕捉实体间可疑关联,通过门控循环单元建模行为序列的阶段性演进,从而实现对APT攻击全链条的端到端检测。在WindowsAPTs Dataset 2025公开数据集上的实验表明,所提模型在APT多分类检测任务中性能良好,准确率达95.14%,F1分数为95.29%。
中图分类号:TP393.08文献标志码:ADOI:10.19358/j.issn.2097-1788.2026.03.002
中文引用格式:安渊,鲍永庆. 融合溯源图与知识图谱的APT攻击检测模型研究[J].网络安全与数据治理,2026,45(3):10-16.
英文引用格式:An Yuan,Bao Yongqing. Research on an APT attack detection model integrating provenance graphs and knowledge graphs[J].Cyber Security and Data Governance,2026,45(3):10-16.
中文引用格式:安渊,鲍永庆. 融合溯源图与知识图谱的APT攻击检测模型研究[J].网络安全与数据治理,2026,45(3):10-16.
英文引用格式:An Yuan,Bao Yongqing. Research on an APT attack detection model integrating provenance graphs and knowledge graphs[J].Cyber Security and Data Governance,2026,45(3):10-16.
Research on an APT attack detection model integrating provenance graphs and knowledge graphs
An Yuan1,Bao Yongqing2
1. National Computer Network Emergency Response Technical Team/Coordination Center of China, Xizang Branch;Office of the Cyberspace Administration and Informatization Committee of the Communist Party of China Xizang Autonomous Region Committee
Abstract: Advanced Persistent Threat (APT) attacks, characterized by strong concealment, long duration, and multistage progressive patterns, were addressed by a novel detection model. The model was constructed through the fusion of dynamic system behavior provenance graphs with static threat intelligence knowledge graphs. Spatial dependencies and temporal evolution relationships within attack chains were jointly modeled using spatialtemporal graph attention networks. Suspicious associations between entities were captured through graph attention mechanisms, while stagewise evolution of behavioral sequences was modeled using gated recurrent units, enabling endtoend detection of complete APT attack chains. Experiments on the public WindowsAPTs Dataset 2025 demonstrated that the proposed model performed well in the APT multiclassification detection task, with an accuracy of 95.14% and an F1score of 95.29%.
Key words : APT attack detection; provenance graph; knowledge graph
引言
高级持续性威胁(Advanced Persistent Threat,APT)攻击因其隐蔽性、持续性和组织化特征,已经成为企业级网络安全的核心挑战。区别于传统的网络攻击,APT攻击通常由具备明确战略意图的组织发起,采用多阶段、渐进式的攻击模式,综合运用社会工程学、零日漏洞利用及复杂的命令与控制网络,旨在长期潜伏并窃取高价值信息[1]。传统依赖已知特征码匹配或基于单点异常阈值的检测方法[2],因其缺乏对攻击全局上下文和内在逻辑关联的理解,往往难以奏效,导致漏报与误报。
为突破这一瓶颈,基于系统审计日志构建数据溯源图[3]的研究范式应运而生。该方法通过将分散的系统事件重构为具有因果与时间属性的有向图,能够直观地刻画攻击链中实体间的依赖关系,为还原复杂的多步攻击提供了强大的结构化表示基础。
与此同时,知识图谱技术为整合与利用网络安全领域的碎片化信息提供了理想框架。特别是以MITRE ATT&CK[4]为代表的知识库,系统化地建模了APT组织、攻击技术、利用工具及防御措施之间的复杂关联。
本文详细内容请下载:
http://www.chinaaet.com/resource/share/2000007021
作者信息:
安渊1,鲍永庆2
(1.国家计算机网络应急技术处理协调中心西藏分中心,西藏拉萨850000;
2.中共西藏自治区委员会网络安全和信息化委员会办公室,西藏拉萨850000)
此内容为AET网站原创,未经授权禁止转载。