结合动态行为和静态特征的APT攻击检测方法  被引量：4

作　　者：梁鹤 李鑫[1] 尹南南 李超[2] LIANG He;LI Xin;YIN Nannan;LI Chao(School of Information Network Security,People’s Public Security University of China,Beijing 100038,China;First Research Institute of the Ministry of Public Security of PRC,Beijing 100048,China)

机构地区：[1]中国人民公安大学信息网络安全学院,北京100038 [2]公安部第一研究所,北京100048

出　　处：《计算机工程与应用》2023年第18期249-259,共11页Computer Engineering and Applications

基　　金：国家重点研发计划(2021YFC330010002)。

摘　　要：针对APT攻击网络流量难以获得,模拟的数据与现实又很难匹配的问题,提出了一种基于动态行为和静态特征结合的APT攻击检测方法。采用Noriben沙箱提取待测软件的进程行为、文件行为、注册表行为和网络行为构建动态行为特征集,基于Transformer-Encoder算法识别APT恶意软件的准确率达到了95.8%。对识别出的APT恶意软件进行组织分类,提取软件调用的DLL(dynamic link library)和API(application programming interface),并组合成DLL:API的特征形式,将1D-CNN(one dimensional convolutional neural networks)算法应用于APT恶意软件组织分类的准确率达到了98.7%,比之前的方法提高了5个百分点。与热门的深度学习算法和机器学习算法的实验效果做对比,数据表明,提出的方法相比其他方法,准确率有较大提升。Aiming at the problem that the network traffic of APT attack is difficult to obtain and the simulated data is diffi-cult to match with the reality,this paper proposes an APT attack detection method based on the combination of dynamic behavior and static characteristics.Firstly,Noriben sandbox is used to extract the process behavior,file behavior,registry behavior and network behavior of the software to be tested to build a dynamic behavior feature set.The accuracy of identi-fying APT malware based on Transformer-Encoder algorithm is 95.8%.Then this paper classifies the identified APT mal-ware,extracts the DLL(dynamic link library)and API(application programming interface)called by the software,and combines them into the characteristic form of DLL:API.The accuracy of applying 1D-CNN(one dimensional convolu-tional neural networks)algorithm to APT malware organization classification has reached 98.7%,which is 5 percentage points higher than the previous method.Finally,compared with the experimental results of popular deep learning algo-rithms and machine learning algorithms,the data show that the accuracy of this method is greatly improved compared with other methods.

关 键 词：高级持续性威胁(APT)攻击 动态行为 静态特征 Transformer-Encoder 1D-CNN 

分 类 号：TP309.2[自动化与计算机技术—计算机系统结构]