Method, system and storage medium for apt organization identification based on stacking integration
A tissue identification and algorithm technology, applied in the field of network security, can solve the problems of not being able to meet the needs of a large number of samples, difficult features, large influence, etc., and achieve the effect of improving the efficiency of automatic identification, improving the accuracy of identification, and improving the effectiveness
Active Publication Date: 2021-06-08
GUANGZHOU UNIVERSITY
View PDF6 Cites 0 Cited by
- Summary
- Abstract
- Description
- Claims
- Application Information
AI Technical Summary
Problems solved by technology
[0005] The above analysis techniques in the industry are mainly based on the manual analysis of relevant security experts, and are greatly influenced by the experience of experts. Secondly, they cannot meet the needs of a large number of samples, and are inefficient and time-consuming.
The static API function features that the automatic identification technology in academia relies on will make feature extraction difficult due to malware obfuscation and packing techniques. In addition, the current methods mainly rely on known malicious code samples. If only based on existing samples to identify Variants, which may lead to inefficient or even ineffective recognition
Method used
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View moreImage
Smart Image Click on the blue labels to locate them in the text.
Smart ImageViewing Examples
Examples
Experimental program
Comparison scheme
Effect test
Embodiment
[0058] Such as figure 1 As shown, the present embodiment is based on the stacking integrated APT organization identification method, including the following steps:
[0059] S1: Use TF-IDF algorithm combined with n-gram to extract behavioral features from malware samples and vectorize them. n-gram can be selected according to actual data. Here it is recommended to choose n-gram=(1,5) to form malicious behavior vector feature set;
[0060] For the malicious sample behavior text features, the word frequency (TF) of each word is counted separately, and then a weight parameter (IDF) is attached to it.
[0061]
[0062] Among them, TF i,j : Frequency of term i appearing in sample j; n i,j : the number of times entry i appears in sample j; ∑ k no k,j : The total number of words appearing in sample j.
[0063] Then calculate the weight:
[0064]
[0065] Among them, |D| represents the total number of samples, |j:i∈d j | Indicates the number of samples that contain term i...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More PUM
Login to View More Abstract
The invention discloses an APT organization identification method, system and storage medium based on stacking integration. The method includes: using TF-IDF algorithm combined with n-gram to extract behavioral features from malware samples and vectorize them to form malicious behavior vector features set; based on the malicious behavior vector feature set, calculate the correlation between features and the chi-square value between features and categories, and perform two screenings on the behavior vector feature set to obtain better feature subset data in low latitude; construct a multi- The Stacking ensemble of model fusion learns the APT organization identification model, and uses the APT organization identification model to identify new APT attacks. In the present invention, the feature selection of high-dimensional behavior vector features reduces the complexity of the data set; the sample imbalance in the data set is also considered, and multi-model integrated training is adopted to improve the recognition accuracy; in addition, this patent is for malicious samples. The APT organization identification model is obtained through machine learning training, which improves the automatic identification efficiency of new samples.
Description
technical field [0001] The invention belongs to the technical field of network security, and in particular relates to an APT organization identification method, system and storage medium based on stacking integration. Background technique [0002] APT advanced persistent threat is an attack form that uses advanced attack methods to carry out long-term and persistent network attacks on specific targets. Different from traditional network attacks, APT attacks have the characteristics of concealment, pertinence, persistence, and organization. Its attack methods are varied, the attack effect is significant, and it is difficult to prevent. The cyber attacks carried out by APT organizations usually have political or economic purposes, have a huge impact on countries and enterprises, and pose increasingly serious threats to various high-level information security systems. Organizational differentiation of malware samples that implement APT attacks is conducive to tracing the real ...
Claims
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More Application Information
Patent Timeline
Login to View More Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/56G06K9/62
CPCG06F21/563G06F2221/033G06F18/241G06F18/214
Inventor 李树栋张倩青吴晓波韩伟红方滨兴田志宏殷丽华顾钊铨
Owner GUANGZHOU UNIVERSITY