An Advanced Persistent Threat (APT) is a multistage, highly sophisticated, and covert form of cyber threat that gains unauthorized access to networks to either steal valuable data or disrupt the targeted network. These threats often remain undetected for extended periods, emphasizing the critical need for early detection in networks to mitigate potential APT consequences. In this work, we propose a feature selection method for developing a lightweight intrusion detection system capable of effectively identifying APTs at the initial compromise stage. Our approach leverages the XGBoost algorithm and Explainable Artificial Intelligence (XAI), specifically utilizing the SHAP (SHapley Additive exPlanations) method for identifying the most relevant features of the initial compromise stage. The results of our proposed method showed the ability to reduce the selected features of the SCVIC-APT-2021 dataset from 77 to just four while maintaining consistent evaluation metrics for the suggested system. The estimated metrics values are 97% precision, 100% recall, and a 98% F1 score. The proposed method not only aids in preventing successful APT consequences but also enhances understanding of APT behavior at early stages.

翻译：高级持续性威胁（APT）是一种多阶段、高度复杂且隐蔽的网络威胁形式，其通过未经授权访问网络以窃取有价值数据或破坏目标网络。此类威胁往往在长时间内未被察觉，这凸显了在网络中实现早期检测以减轻潜在APT后果的迫切需求。在本研究中，我们提出了一种特征选择方法，用于开发一种能够在初始入侵阶段有效识别APT的轻量级入侵检测系统。我们的方法利用XGBoost算法和可解释人工智能（XAI），特别是采用SHAP（SHapley Additive exPlanations）方法来识别初始入侵阶段最相关的特征。我们提出的方法结果显示，能够将SCVIC-APT-2021数据集的特征数量从77个减少到仅4个，同时为所建议的系统保持一致的评估指标。估计的指标值为97%的精确率、100%的召回率和98%的F1分数。所提出的方法不仅有助于防止APT攻击成功造成后果，还增强了对APT早期行为的理解。