采用双塔Transformer模型的APT攻击序列检测方法  

作　　者：汪一帆 徐正国 陆路希 WANG Yifan;XU Zhengguo;LU Luxi(Information Engineering University,Zhengzhou 450001,China;National Key Laboratory of Science and Technology on Blind Signal Processing,Chengdu 610041,China)

机构地区：[1]信息工程大学,河南郑州450001 [2]信号盲处理全国重点实验室,四川成都610041

出　　处：《信息工程大学学报》2025年第2期231-237,共7页Journal of Information Engineering University

摘　　要：现有APT检测研究多针对APT攻击部分阶段数据,缺少对完整APT攻击阶段的上下文关联分析。为解决上述挑战,结合主机侧和网络侧数据,构建包含APT完整阶段的多变量时序数据集,提出一种基于特征选择和双塔Transformer模型的APT攻击序列检测方法。首先,利用特征优选模块,筛选出重要特征子集作为输入;其次,采用双塔结构,从时间维度上捕获APT攻击序列前后时刻状态间的关联信息,从特征维度上挖掘特征变量间的隐含关系;最后,引入门控结构,连接合并双塔的权重,自适应地融合APT攻击序列在时间维度和特征维度的隐含信息,以达到提升检测性能的目的。实验结果表明,与循环神经网络(RNN)、长短时记忆网络(LSTM)和Transformer模型相比,该方法表现更好,检测准确率达到95.42%。The majority of APT detection studies currently in existence concentrate on data from partial APT attack phases,and contextual correlation analysis of all APT attack phases is absent.To address the above issue,a multivariate time-series dataset including all APT phases is created by combining host-side and network-side data.An APT attack sequence detection method based on feature selection and the two-tower Transformer model is proposed.Firstly,a feature optimization module is employed to select critical feature subsets as the input.Secondly,a two-tower structure is utilized to capture associated information between states at two adjacent time points of APT attack sequences from the time dimension,and to explore implicit relationships between feature variables from the feature dimension.Finally,the gate structure is introduced to connect and merge the weights of the two-tower,and the implicit information of APT attack sequence in time and feature dimensions is adaptively fused to achieve the purpose of improving the detection performance.Experimental results demonstrate that compared with recurrent neural networks(RNN),long short-term memory(LSTM)and Transformer models,superior performance is achieved by using the proposed method,with a detection accuracy of 95.42%.

关 键 词：APT检测 特征选择 Transformer模型 多变量时序分析 

分 类 号：TP393.08[自动化与计算机技术—计算机应用技术]