Advanced Persistent Threats (APTs) are sophisticated, targeted cyberattacks designed to gain unauthorized access to systems and remain undetected for extended periods. To evade detection, APT cyberattacks deceive defense layers with breaches and exploits, thereby complicating exposure by traditional anomaly detection-based security methods. The challenge of detecting APTs with machine learning is compounded by the rarity of relevant datasets and the significant imbalance in the data, which makes the detection process highly burdensome. We present AE-APT, a deep learning-based tool for APT detection that features a family of AutoEncoder methods ranging from a basic one to a Transformer-based one. We evaluated our tool on a suite of provenance trace databases produced by the DARPA Transparent Computing program, where APT-like attacks constitute as little as 0.004% of the data. The datasets span multiple operating systems, including Android, Linux, BSD, and Windows, and cover two attack scenarios. The outcomes showed that AE-APT has significantly higher detection rates compared to its competitors, indicating superior performance in detecting and ranking anomalies.
翻译:高级持续性威胁(APTs)是一种复杂的针对性网络攻击,旨在未经授权访问系统并长期保持隐蔽状态。为规避检测,APT网络攻击通过漏洞利用欺骗防御层,从而使得基于传统异常检测的安全方法难以有效暴露此类威胁。由于相关数据集的稀缺性以及数据的严重不平衡,利用机器学习检测APT的挑战进一步加剧,这使得检测过程变得极为困难。我们提出了AE-APT——一种基于深度学习的APT检测工具,其采用从基础架构到基于Transformer架构的系列自编码器方法。我们在DARPA透明计算项目生成的一组溯源追踪数据库上评估了该工具,其中类APT攻击数据仅占数据总量的0.004%。这些数据集涵盖Android、Linux、BSD和Windows等多个操作系统,并包含两种攻击场景。实验结果表明,与现有技术相比,AE-APT具有显著更高的检测率,在异常检测与排序方面表现出更优越的性能。