Advanced persistent threat (apt) attack behavior detection method, device and equipment
By parsing data packets and creating an interactive spatiotemporal graph in operator network equipment, and combining this with a neural network model to detect APT attack behavior, the problem of the inability to comprehensively detect APT attack behavior in existing technologies is solved, enabling the discovery and location of all types of APT attack behavior.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- CHINA TELECOM NETWORK SECURITY TECH CO LTD
- Filing Date
- 2022-10-09
- Publication Date
- 2026-06-30
AI Technical Summary
Existing technologies cannot achieve comprehensive detection of all categories of Advanced Persistent Threat (APT) attacks, lack lateral scaling capabilities, and are unable to discover and locate new APT attacks.
By acquiring data packets collected by operator network equipment, resolving IP addresses and geographic locations, creating an interactive spatiotemporal graph, and using a trained neural network model to detect APT attack behavior, a preliminary screening is performed using a screening model, and a final detection is performed using a deep learning model, thus achieving the detection of all types of APT attack behavior.
It can detect and locate new APT attack behaviors, and achieve detection of all types of APT attack behaviors, improving the comprehensiveness and accuracy of detection.
Smart Images

Figure CN115603992B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of network security technology, and in particular to methods, apparatus and equipment for detecting advanced persistent threat (APT) attack behavior. Background Technology
[0002] Advanced Persistent Threats (APTs) are a form of cyberattack that uses sophisticated attack methods to launch long-term, persistent attacks against specific targets. They are highly covert and targeted, typically employing various infected media, supply chains, and social engineering techniques to carry out advanced, persistent, and effective threats and attacks.
[0003] APT attacks are often the result of long-term planning and preparation, and are highly covert. The attack methods of APT groups lie in concealing themselves and targeting specific individuals to steal data in a long-term, planned and organized manner. This behavior is considered cyber espionage. Because APT groups themselves use various technical means to hide their activities, detecting APT groups and APT attacks is extremely difficult.
[0004] Current technical solutions for APT attack detection mainly focus on sample analysis and mining within a specific attack domain (e.g., abnormal emails). After extracting relevant attack behavior features, they perform attack detection and source comparison based on these features. These methods are relatively concrete; once attack behavior features are extracted from a specific type of APT sample, they are applicable to the detection of APT attacks within that specific category. However, the drawback is that these methods are relatively limited and cannot be horizontally expanded. In other words, they are mainly used for source detection and lack the ability to discover and locate new APT attack behaviors. They cannot detect new types of APT attacks and lack a comprehensive and unified method for APT attack detection, thus failing to detect all types of APT attacks. Summary of the Invention
[0005] This invention provides a method, apparatus, device, and medium for detecting advanced persistent threat (APT) attacks, thereby addressing the problem that existing technologies cannot detect all types of APT attacks.
[0006] This invention provides a method for detecting advanced persistent threat (APT) attack behavior, the method comprising:
[0007] Obtain the spatiotemporal graph of any sample interaction and the corresponding first label information from the pre-saved sample set, adjust the parameter values of each parameter of the original neural network model, and obtain the trained detection model.
[0008] Acquire each data packet within a preset time range collected by the operator's network equipment, parse each IP address from all data packets, and determine the domain name corresponding to each IP address and the location of each IP address;
[0009] In the target interaction spatiotemporal graph of the operator's network equipment, entities corresponding to domain names, IP addresses and home locations are created respectively. If a connection is established or data packets are exchanged between any two entities, the two entities are connected and the connection characteristics corresponding to the two connected entities are determined.
[0010] Based on the pre-trained detection model, the target detection result, which indicates whether APT attack behavior was detected, is obtained after the target interaction spatiotemporal graph is input into the detection model.
[0011] Furthermore, after acquiring each data packet within a preset time range collected by the operator's network equipment, and before parsing each IP address from all data packets and determining the domain name corresponding to each IP address and the location of each IP address, the method further includes:
[0012] Information about network features is obtained for each data packet within each preset time granularity within the preset time range. Each target data packet with the same traffic aggregation feature information in the network features is aggregated into a data packet set according to the preset time granularity. Each target feature vector of the network features in each data packet set is generated. The network features include traffic aggregation features, metadata features, and the number of data packets and bytes within the preset time granularity. The traffic aggregation features include source IP address, destination IP address, transport layer protocol, application layer protocol, and port number. The metadata features include at least one of the following: specific tag meaning carried by the HTTP address, keywords of the DNS domain name, and links of emails transmitted in the form of data packets.
[0013] Based on the pre-trained screening model, obtain the preliminary detection result of whether suspected APT attack behavior is detected after each target feature vector is input into the screening model;
[0014] If there is a target feature vector in each target feature vector of each data packet set within the preset time range that initially indicates a suspected APT attack, then for each target data packet set corresponding to the target feature vector that initially indicates a suspected APT attack, the steps of parsing each IP address from all first target data packets in each target data packet set and determining the domain name corresponding to each IP address and the location of each IP address are executed.
[0015] Furthermore, in the step of creating entities corresponding to domain names, IP addresses, and home locations respectively in the target interaction spatiotemporal graph of the operator's network equipment, if a connection is established or data packets are exchanged between any two entities, the connection features corresponding to the two entities and the connection characteristics of the two entities are defined as follows:
[0016] For each preset time granularity within the preset time range, based on the target domain name corresponding to each target IP address and the target home location of each target IP address within the preset time granularity, entities corresponding to the target domain name, target IP address and target home location are created respectively in the sub-interaction spatiotemporal graph corresponding to the preset time granularity of the operator network device. If a connection is established or data packets are exchanged between any two entities, the two entities are connected and the connection characteristics corresponding to the two connected entities are determined.
[0017] Based on each sub-interaction spatiotemporal diagram corresponding to each preset time granularity, the time sequence diagram of the combination of each sub-interaction spatiotemporal diagram is determined as the target interaction spatiotemporal diagram of the operator's network equipment in chronological order.
[0018] Furthermore, the method also includes:
[0019] If the target detection result indicates that an APT attack has been detected, then the target interaction spatiotemporal graph and the target detection result of the target interaction spatiotemporal graph are added to the sample set as the first label information;
[0020] Determine whether the time elapsed since the end of the last training session has reached a preset period. If so, retrain the detection model based on the updated sample set.
[0021] Further, the step of adding the target interaction spatiotemporal graph and the target detection results of the target interaction spatiotemporal graph as first label information to the sample set includes:
[0022] Based on each first source IP address and each first destination IP address of all first target data packets corresponding to the target interaction spatiotemporal graph, obtain each global data packet sent by the device with each first source IP address and the corresponding first destination IP address within all connection durations, and display each global data packet according to the connection timing relationship;
[0023] The system receives a user's selection operation, determines each target global data packet corresponding to the target connection based on the selection operation, and performs application-layer parsing on each target global data packet using any tool from a pre-saved toolset to obtain the target APT attack program. The target APT attack program and the target detection result are then added to the sample set as first tag information.
[0024] Furthermore, adding the target APT attack program and the first tag information identifying detected APT attack behavior to the sample set includes:
[0025] Receive the target determination result of the target APT attack program. If the target determination result is that the target APT attack program is a homologous program of the sample APT attack programs in the sample set, then add the target APT attack program and the first tag information that identifies the detected APT attack behavior to the subset of homologous sample APT attack programs in the sample set.
[0026] If the target determination result is that the target APT attack program is a non-originating program of the sample APT attack programs in the sample set, then a new subset is created in the sample set, and the target APT attack program and the first tag information that identifies the detected APT attack behavior are added to the new subset of the sample set.
[0027] Furthermore, the training process of the detection model includes:
[0028] Obtain any sample interaction spatiotemporal graph and corresponding first label information from a pre-saved sample set, wherein the first label information is used to identify whether the sample interaction spatiotemporal graph corresponds to APT attack behavior;
[0029] The sample interaction spatiotemporal graph is input into the original neural network model to obtain the second label information of the output sample interaction spatiotemporal graph;
[0030] Based on the first label information and the second label information, the parameter values of each parameter of the original neural network model are adjusted to obtain the trained detection model.
[0031] Furthermore, obtaining the spatiotemporal graph of any sample interaction and the corresponding first label information from the pre-saved sample set includes:
[0032] Obtain a set of sample data packets for any normal access process or a sample APT attack program from a pre-saved sample set;
[0033] Based on each first sample data packet of the network communication process simulated using reverse engineering or sandboxing techniques on the sample APT attack program, a first sample interaction spatiotemporal graph of the sample APT attack program is generated, and the first tag information corresponding to the first sample interaction spatiotemporal graph is set as the tag information for detecting APT attack behavior; or
[0034] Based on each second sample data packet in the sample data packet set, a second sample interaction spatiotemporal graph of the sample data packet set is generated, and the first label information corresponding to the second sample interaction spatiotemporal graph is set as the label information of no APT attack behavior detected.
[0035] Furthermore, the training process of the screening model includes:
[0036] Obtain the feature vector and first label information of any sample in the pre-saved sample set;
[0037] The sample feature vector is input into the original screening model to obtain the third label information of the output sample feature vector;
[0038] Based on the first label information and the third label information, the parameter values of each parameter of the original screening model are adjusted to obtain the trained screening model.
[0039] Furthermore, obtaining the feature vector and first label information of any sample in the pre-saved sample set includes:
[0040] Obtain a set of sample data packets for any normal access process or a sample APT attack program from a pre-saved sample set;
[0041] Based on each first sample data packet of the network communication process simulated using reverse engineering or sandboxing techniques on the sample APT attack program, network feature information of each first sample data packet within each preset time granularity is obtained. First sample data packets with the same traffic aggregation feature information are aggregated into each first sample data packet set according to the preset time granularity, generating each first sample feature vector of the network features of each first sample data packet set. The first tag information corresponding to each first sample data packet set is set as tag information for detecting suspected APT attack behavior; or
[0042] Based on each second sample data packet in the sample data packet set, obtain the network feature information of each second sample data packet within each preset time granularity, aggregate each second sample data packet with the same traffic aggregation feature information into each second sample data packet set according to the preset time granularity, generate each second sample feature vector of the network feature of each second sample data packet set, and set the first label information corresponding to each second sample data packet set as the label information of no suspected APT attack behavior detected.
[0043] Accordingly, the present invention provides an advanced persistent threat (APT) attack behavior detection device, the device comprising:
[0044] The training module is used to obtain the spatiotemporal graph of any sample interaction in the pre-saved sample set and the corresponding first label information, and to adjust the parameter values of each parameter of the original neural network model to obtain the trained detection model.
[0045] The acquisition module is used to acquire each data packet within a preset time range collected by the operator's network equipment, parse each IP address from all data packets, and determine the domain name corresponding to each IP address and the location of each IP address.
[0046] The processing module is used to create entities corresponding to domain names, IP addresses and home locations respectively in the target interaction spatiotemporal graph of the operator network equipment. If a connection is established or data packets are exchanged between any two entities, the two entities are connected and the connection characteristics corresponding to the two connected entities are determined.
[0047] The detection module is used to obtain the target detection result, which indicates whether APT attack behavior has been detected, after the target interaction spatiotemporal graph is input into the detection model, based on a pre-trained detection model.
[0048] Furthermore, the acquisition module is also used to acquire network feature information based on each data packet within a preset time granularity within the preset time range after acquiring each data packet collected by the operator's network equipment, and before parsing each IP address from all data packets and determining the domain name and location of each IP address. This is done by aggregating each target data packet with the same traffic aggregation feature information within the network features into a data packet set according to the preset time granularity, generating each target feature vector of the network features for each data packet set. The network features include traffic aggregation features, metadata features, and the number of data packets and bytes within the preset time granularity. The traffic aggregation features include source IP address, destination IP address, transport layer protocol, and application layer protocol. The metadata includes at least one of the following: HTTP address carrying specific tag meaning, DNS domain name keywords, and email links transmitted in the form of data packets; based on a pre-trained filtering model, the preliminary detection result of whether a suspected APT attack is detected is obtained after each target feature vector is input into the filtering model; if there is a target feature vector in each target feature vector of each data packet set within the preset time range that has a preliminary detection result of suspected APT attack, then for each target data packet set corresponding to the target feature vector with a preliminary detection result of suspected APT attack, the steps of parsing each IP address from all first target data packets in each target data packet set and determining the domain name corresponding to each IP address and the location of each IP address are executed.
[0049] Further, the processing module is specifically used to, for each preset time granularity within the preset time range, create entities corresponding to the target domain name, target IP address, and target location in the sub-interaction spatiotemporal graph corresponding to the preset time granularity of the operator network device, based on the target domain name corresponding to each target IP address and the target location of each target IP address within the preset time granularity. If a connection is established or data packets are exchanged between any two entities, the two entities are connected and the connection characteristics corresponding to the two connected entities are determined. Based on each sub-interaction spatiotemporal graph corresponding to each preset time granularity, the time sequence graph combining the sub-interaction spatiotemporal graphs in chronological order is determined as the target interaction spatiotemporal graph of the operator network device.
[0050] Furthermore, the device also includes:
[0051] The update module is used to add the target interaction spatiotemporal graph and the target detection result of the target interaction spatiotemporal graph as the first label information to the sample set if the target detection result is that APT attack behavior is detected; determine whether the time from the current time to the end of the last training has reached a preset period, and if so, retrain the detection model according to the updated sample set.
[0052] Further, the update module is specifically configured to: obtain, based on each first source IP address and each first destination IP address of all first target data packets corresponding to the target interaction spatiotemporal graph, obtain each global data packet sent by the device corresponding to each first source IP address and each first destination IP address within all connection durations, display each global data packet according to the connection timing relationship; receive the user's selection operation, determine each target global data packet corresponding to the target connection based on the selection operation, and perform application layer parsing on each target global data packet using any tool in the pre-saved toolset to obtain the target APT attack program, and add the target APT attack program and the target detection result as first tag information to the sample set.
[0053] Furthermore, the update module is specifically used to receive the target determination result of the target APT attack program. If the target determination result indicates that the target APT attack program is a homologous program of the sample APT attack programs in the sample set, then the target APT attack program and the first tag information identifying detected APT attack behavior are added to the subset of homologous sample APT attack programs in the sample set. If the target determination result indicates that the target APT attack program is a non-homologous program of the sample APT attack programs in the sample set, then a new subset is created in the sample set, and the target APT attack program and the first tag information identifying detected APT attack behavior are added to the newly created subset of the sample set.
[0054] Furthermore, the training module is used to acquire any sample interaction spatiotemporal graph and corresponding first label information from a pre-saved sample set, wherein the first label information is used to identify whether the sample interaction spatiotemporal graph corresponds to an APT attack behavior; input the sample interaction spatiotemporal graph into the original neural network model, and acquire the second label information of the output sample interaction spatiotemporal graph; adjust the parameter values of each parameter of the original neural network model according to the first label information and the second label information to obtain the trained detection model.
[0055] Further, the training module is specifically used to acquire a set of sample data packets or sample APT attack programs for any normal access process in a pre-saved sample set; generate a first sample interaction spatiotemporal graph of the sample APT attack program based on each first sample data packet of the network communication process simulated by reverse engineering or sandboxing technology for the sample APT attack program, and set the first label information corresponding to the first sample interaction spatiotemporal graph as label information for detecting APT attack behavior; or generate a second sample interaction spatiotemporal graph of the sample data packet set based on each second sample data packet in the sample data packet set, and set the first label information corresponding to the second sample interaction spatiotemporal graph as label information for not detecting APT attack behavior.
[0056] Furthermore, the training module is used to obtain the feature vector and first label information of any sample in the pre-saved sample set; input the sample feature vector into the original screening model to obtain the third label information of the output sample feature vector; and adjust the parameter values of each parameter of the original screening model according to the first label information and the third label information to obtain the trained screening model.
[0057] Further, the training module is specifically used to obtain a set of sample data packets or sample APT attack programs for any normal access process in a pre-saved sample set; based on each first sample data packet of a network communication process simulated by reverse engineering or sandboxing technology on the sample APT attack program, obtain the network feature information of each first sample data packet within each preset time granularity; aggregate each first sample data packet with the same traffic aggregation feature information into each first sample data packet set according to the preset time granularity, generate each first sample feature vector of the network feature of each first sample data packet set, and set the first label information corresponding to each first sample data packet set as the label information for detecting APT attack behavior; or based on each second sample data packet in the sample data packet set, obtain the network feature information of each second sample data packet within each preset time granularity; aggregate each second sample data packet with the same traffic aggregation feature information into each second sample data packet set according to the preset time granularity, generate each second sample feature vector of the network feature of each second sample data packet set, and set the first label information corresponding to each second sample data packet set as the label information for not detecting APT attack behavior.
[0058] Accordingly, the present invention provides an electronic device, including: a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory communicate with each other through the communication bus;
[0059] The memory stores a computer program that, when executed by the processor, causes the processor to implement the steps of any of the methods described in the Advanced Persistent Threat (APT) attack behavior detection methods.
[0060] Accordingly, the present invention provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the steps of any of the methods described in the above-described methods for detecting Advanced Persistent Threat (APT) attack behaviors.
[0061] This invention provides a method, apparatus, device, and medium for detecting Advanced Persistent Threat (APT) attacks. The method acquires the spatiotemporal interaction graph of any sample from a pre-saved sample set and its corresponding first label information. It then adjusts the parameter values of each parameter in the original neural network model to obtain a trained detection model. Based on each data packet collected within a preset time range from the operator's network equipment, it parses out each IP address and determines the domain name and location of each IP address. Entities corresponding to the domain name, IP address, and location are created in the spatiotemporal interaction graph. If a connection is established or data packets are exchanged between any two entities, the two entities are connected, and the connection characteristics corresponding to the two connected entities are determined. Because this invention uses an end-to-end fusion approach to acquire and detect the spatiotemporal interaction graph, it more fundamentally displays the temporal characteristics of APT attack behavior, thereby enabling the discovery and localization of new APT attack behaviors and achieving detection of all types of APT attack behaviors. Attached Figure Description
[0062] To more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings used in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0063] Figure 1 This is a schematic diagram illustrating the process of detecting Advanced Persistent Threat (APT) attack behavior according to an embodiment of the present invention.
[0064] Figure 2 A schematic diagram of a spatiotemporal interaction diagram provided in an embodiment of the present invention;
[0065] Figure 3 A schematic diagram of network features of a screening model provided in an embodiment of the present invention;
[0066] Figure 4 This is a schematic diagram illustrating the detection process of a detection model improved in an embodiment of the present invention;
[0067] Figure 5 This is a schematic diagram of another APT attack behavior detection method provided in an embodiment of the present invention;
[0068] Figure 6 A schematic diagram of the structure of an advanced persistent threat (APT) attack behavior detection device provided in an embodiment of the present invention;
[0069] Figure 7 A schematic diagram of another advanced persistent threat (APT) attack behavior detection device provided in an embodiment of the present invention;
[0070] Figure 8 This is a schematic diagram of an electronic device structure provided in an embodiment of the present invention. Detailed Implementation
[0071] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of this invention, and not all of them. Based on the embodiments of this invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this invention.
[0072] Existing technologies can also employ big data solutions, which involve collecting large amounts of user behavior data, performing feature extraction and statistical analysis at the user level, and using anomaly analysis to determine threats. These methods are relatively simple and direct, but due to the lack of support from APT attack behavior characteristics of sample APT attack programs, the accuracy of identification is generally not high, and their practicality is poor.
[0073] Therefore, edge-side analysis, through reverse engineering, sandboxing and other techniques, can provide in-depth analysis of attack principles, but it cannot enrich and discover more samples. On the other hand, network-side analysis using big data solutions has a global perspective and can more comprehensively discover and capture APT attack behaviors, but without accurate attack feature input, the possibility of identifying and discovering APT attack behaviors is extremely low.
[0074] To enable the detection of all types of APT attacks, embodiments of the present invention provide a method, apparatus, device, and medium for detecting Advanced Persistent Threat (APT) attacks.
[0075] Example 1:
[0076] Figure 1 This invention provides a schematic diagram of a method for detecting Advanced Persistent Threat (APT) attack behavior, which includes the following steps:
[0077] S101: Obtain the spatiotemporal graph of any sample interaction and the corresponding first label information from the pre-saved sample set, adjust the parameter values of each parameter of the original neural network model, and obtain the trained detection model.
[0078] To detect all types of APT attacks, this invention provides a method for detecting Advanced Persistent Threat (APT) attacks, which is applied to electronic devices such as hosts, tablets, laptops, and smartphones, or servers, which can be local servers or cloud servers. This invention does not impose any restrictions on this.
[0079] In order to detect all types of APT attacks, the electronic device pre-stores a sample set for training the detection model. The sample interaction spatiotemporal graph in the sample set includes the interaction spatiotemporal graph of entities in the data packets generated during the APT attack process and the interaction spatiotemporal graph of entities in the data packets generated during the normal access process. The first label information of the sample interaction spatiotemporal graph in the sample set is pre-annotated by humans, and the first label information is used to identify whether APT attack behavior is detected.
[0080] After the electronic device acquires any sample interaction spatiotemporal graph and the corresponding first label information from the sample set, the sample interaction spatiotemporal graph may be an interaction spatiotemporal graph composed of entities in the data packets generated during the APT attack process, or it may be an interaction spatiotemporal graph composed of entities in the data packets generated during the normal access process. The electronic device inputs any sample interaction spatiotemporal graph and the corresponding first label information into the original neural network model, adjusts the parameter values of each parameter of the original neural network model, and obtains the trained detection model.
[0081] S102: Obtain each data packet within a preset time range collected by the operator's network equipment, parse each IP address from all data packets, and determine the domain name corresponding to each IP address and the location of each IP address.
[0082] Since the transmission of data packets between each device on the Internet side needs to go through the operator's network equipment, which includes routers, gateways, communication base stations, etc., obtaining the entire network traffic in the Internet through the operator's network equipment can determine whether there is an APT attack.
[0083] The electronic device acquires each data packet within a preset time range collected by the network equipment of the operator on the network side. The preset time range is set by the user. If it is desired to improve the detection efficiency, the preset time range can be set to a larger value, such as 1 hour or 3 hours. If it is desired to improve the detection accuracy, the preset time range can be set to a smaller value, such as 5 minutes, 10 minutes, or 15 minutes. Each data packet includes a Domain Name System (DNS) data packet, a Hypertext Transfer Protocol (HTTP) / Hypertext Transfer Protocol over SecureSocket Layer (HTTPS) data packet, and a Transmission Control Protocol (TCP) / Internet Protocol (IP) quintuple data packet.
[0084] All data packets are processed according to protocols to resolve each IP address. Based on each IP address, the corresponding domain name is determined. Each IP address is then queried to determine its location. The location specifically refers to the region code, latitude and longitude information, etc., of the IP address. The IP addresses are historically unique addresses, and the domain name is a string segmented into sections.
[0085] S103: Create entities corresponding to domain names, IP addresses, and home locations in the target interaction spatiotemporal graph of the operator's network equipment. If any two entities have an association relationship, connect the two entities and determine the connection characteristics corresponding to the two connected entities.
[0086] Based on each identified domain name, IP address, and location, create an entity corresponding to each domain name, IP address, and location in the target interaction time-space graph.
[0087] If a connection is established or data packets are exchanged between any two entities, then the two entities are connected. For example, the entity corresponding to an IP address and the entity corresponding to the location of the IP address are associated, so the entity corresponding to the IP address and the entity corresponding to the location of the IP address are connected, and the connection feature between the two entities is determined to be a relation feature. The entity corresponding to a domain name and the entity corresponding to the IP address of the domain name are associated, so the entity corresponding to the domain name and the entity corresponding to the IP address of the domain name are connected, and the connection feature between the two entities is determined to be a resolution relation feature. The entity corresponding to the source IP address and the entity corresponding to the destination IP address of each IP address are associated, so the entity corresponding to the source IP address and the entity corresponding to the destination IP address of the source IP address are connected, and the connection feature between the two entities is determined to be a flow relation feature. The feature vector of the flow relation feature is determined based on the number of packets, the number of bytes, and the protocol type of the data packets sent from the source IP address to the destination IP address.
[0088] Figure 2 This is a schematic diagram of a spatiotemporal interaction graph provided in an embodiment of the present invention, such as... Figure 2 As shown, Figure 2It contains entities corresponding to domain name 1, domain name 2, IP 1, IP 2, IP 3, location 1, and location 2 respectively. The entity corresponding to domain name 1 is connected to the entity corresponding to IP 1 and the corresponding resolution relationship features are: the entity corresponding to domain name 2 is connected to the entity corresponding to IP 2 and the corresponding resolution relationship features are: the entity corresponding to IP 1 is connected to the entity corresponding to location 1 and the corresponding location relationship features are: the entity corresponding to IP 2 is connected to the entity corresponding to location 2 and the corresponding location relationship features are: the entity corresponding to IP 3 is connected to the entity corresponding to location 2 and the corresponding location relationship features are: the entity corresponding to IP 1 is connected to the entity corresponding to IP 2 and the corresponding flow relationship features are: the entity corresponding to IP 1 is connected to the entity corresponding to IP 3 and the corresponding flow relationship features are: the entity corresponding to IP 1 is connected to the entity corresponding to IP 2 and the corresponding flow relationship features are: the entity corresponding to IP 1 is connected to the entity corresponding to IP 3 and the corresponding flow relationship features are: the entity corresponding to domain name 1 is connected to the entity corresponding to IP 2 ...
[0089] S104: Based on the pre-trained detection model, obtain the target detection result (whether APT attack behavior was detected) after the target interaction spatiotemporal graph is input into the detection model.
[0090] To determine whether an APT attack has been detected, the electronic device stores a pre-trained detection model. This detection model is a neural network model that uses a deep learning algorithm that can preserve spatiotemporal information.
[0091] After determining the target interaction spatiotemporal graph, the electronic device inputs the target interaction spatiotemporal graph into the detection model and obtains the target detection result output by the detection model. The target detection result may indicate that APT attack behavior has been detected or that no APT attack behavior has been detected.
[0092] Specifically, the Graph Convolutional Network (GCN) module of the detection model extracts feature vectors of spatial features from the spatiotemporal graph of the target interaction. Based on the feature vectors of spatial features, the Gated Recurrent Unit (GRU) module of the detection model extracts feature vectors of temporal features and inputs them into the fully connected layer of the detection module. The fully connected layer is used as the output layer to output the target detection result.
[0093] In this embodiment of the invention, the above steps are mainly focused on the network side. Each data packet of the network traffic collected by the operator's network equipment is obtained from the network side, and the above steps are used to identify and detect the network traffic, thereby outputting each target data packet of suspicious APT traffic.
[0094] In this embodiment of the invention, the method parses each domain name from each data packet collected by the operator's network equipment within a preset time range, and determines the IP address corresponding to each domain name and the location of each IP address. Entities corresponding to the domain name, IP address, and location are created in the spatiotemporal interaction graph. If any two entities are related, the two entities are connected, and the connection characteristics corresponding to the two connected entities are determined. The spatiotemporal interaction graph more fundamentally displays the temporal characteristics of APT attack behavior, thereby enabling the discovery and location of new APT attack behaviors and achieving the detection of all types of APT attack behaviors.
[0095] Example 2:
[0096] To improve detection efficiency, based on the above embodiments, in this embodiment of the invention, after acquiring each data packet within a preset time range collected by the operator's network equipment, and before parsing each IP address from all data packets and determining the domain name corresponding to each IP address and the location of each IP address, the method further includes:
[0097] Information about network features is obtained for each data packet within each preset time granularity within the preset time range. Each target data packet with the same traffic aggregation feature information in the network features is aggregated into a data packet set according to the preset time granularity. Each target feature vector of the network features in each data packet set is generated. The network features include traffic aggregation features, metadata features, and the number of data packets and bytes within the preset time granularity. The traffic aggregation features include source IP address, destination IP address, transport layer protocol, application layer protocol, and port number. The metadata features include at least one of the following: specific tag meaning carried by the HTTP address, keywords of the DNS domain name, and links of emails transmitted in the form of data packets.
[0098] Based on the pre-trained screening model, obtain the preliminary detection result of whether suspected APT attack behavior is detected after each target feature vector is input into the screening model;
[0099] If there is a target feature vector in each target feature vector of each data packet set within the preset time range that initially indicates a suspected APT attack, then for each target data packet set corresponding to the target feature vector that initially indicates a suspected APT attack, the steps of parsing each domain name from all first target data packets in each target data packet set and determining the IP address corresponding to each domain name and the location of each IP address are executed.
[0100] To improve the efficiency of APT attack detection, in this embodiment of the invention, after the electronic device acquires each data packet within a preset time range collected by the operator's network equipment, it acquires each data packet within each preset time granularity according to each preset time granularity within the preset time range. The preset time granularity can be 1 minute, 10 minutes, or 60 minutes.
[0101] For each data packet within a preset time granularity, network feature information is obtained by parsing each data packet within that preset time granularity. The network features include traffic aggregation features, metadata features, and the number of data packets and bytes within the preset time granularity. Based on the information of the traffic aggregation features in the network features, each target data packet with the same traffic aggregation feature information is identified. The traffic aggregation features include source IP address, destination IP address, transport layer protocol, application layer protocol, and port number. Each target data packet is aggregated into a data packet set according to the preset time granularity, and each target feature vector of the network features of each data packet set is generated.
[0102] Figure 3 This is a schematic diagram of the network features of a screening model provided in an embodiment of the present invention, as shown below. Figure 3 As shown, network characteristics include network traffic characteristics and source IP / destination IP information. Network traffic characteristics include protocol type, port information, number of packets and bytes in the last minute, number of packets and bytes in the last 10 minutes, and number of packets and bytes in the last 60 minutes. Protocol type includes transport layer protocols and application layer protocols. Source IP / destination IP information includes IP address, geographical location information of IP address, industry information of IP address, and domain name information associated with IP address.
[0103] In order to quickly filter out abnormal data packets, the electronic device has a pre-stored filtering model. The filtering model is pre-trained to quickly filter out most normal data packets from massive traffic data packets, and retain only a small number of abnormal data packets.
[0104] For each target feature vector of each data packet set within a preset time range, the target feature vector is input into the filtering model to obtain the preliminary detection result of whether the suspected APT attack behavior is detected in the corresponding output of the filtering model.
[0105] If each target feature vector contains a target feature vector whose preliminary detection result indicates a suspected APT attack, then for each target data packet set corresponding to the target feature vector whose preliminary detection result indicates a suspected APT attack, each domain name is parsed from all the first target data packets in each target data packet set, and the IP address corresponding to each domain name and the location of each IP address are determined.
[0106] Figure 4 This is a schematic diagram illustrating the detection process of a detection model improved in an embodiment of the present invention, as shown below. Figure 4 As shown, the interaction graph corresponding to each time step of each target data packet set is input into the GCN module of the detection model to extract each feature vector of the spatial domain features of each interaction spatiotemporal graph. Each feature vector of the spatial domain features is input into the GRU module of the detection model to extract each feature vector of the temporal domain features. Each feature vector of the temporal domain features is input into the output layer to obtain the target detection result output by the detection model.
[0107] If no target feature vector in each target feature vector has a preliminary detection result indicating that no suspected APT attack behavior has been detected, then each data packet collected by the operator's network equipment within the next preset time range is acquired, and APT attack behavior is detected in each data packet within the next preset time range.
[0108] As one possible implementation, in this embodiment of the invention, both the screening model and the detection model are located in a two-layer model, and a multi-level hierarchical model is adopted, so as to balance the model detection efficiency and accuracy, and realize the detection of each target data packet of suspicious APT traffic from each data packet of massive network traffic.
[0109] In this embodiment of the invention, due to the large amount of network traffic data and the small amount of APT attack traffic data, a two-stage model is used to identify abnormal traffic from APT attacks. The first stage uses a simple decision tree-based filtering model to quickly filter out most normal traffic data from the massive amount of traffic, retaining only a small amount of suspected abnormal traffic data for the second stage model. The second stage constructs an interaction spatiotemporal graph based on sample data packets from the traffic, comprehensively depicting the recent network interaction behavior of the organization corresponding to this traffic. A classification model based on a Graph Convolutional Network (GCN) and a Gated Recurrent Unit (GRU) is then used to determine whether an APT attack has been detected.
[0110] Example 3:
[0111] To establish a target interaction spatiotemporal graph, based on the above embodiments, in this embodiment of the invention, entities corresponding to domain names, IP addresses, and home locations are created respectively in the target interaction spatiotemporal graph of the operator network equipment. If a connection is established or data packets are exchanged between any two entities, the connection features corresponding to the two connected entities include:
[0112] For each preset time granularity within the preset time range, based on the target domain name corresponding to each target IP address and the target home location of each target IP address within the preset time granularity, entities corresponding to the target domain name, target IP address and target home location are created respectively in the sub-interaction spatiotemporal graph corresponding to the preset time granularity of the operator network device. If a connection is established or data packets are exchanged between any two entities, the two entities are connected and the connection characteristics corresponding to the two connected entities are determined.
[0113] Based on each sub-interaction spatiotemporal diagram corresponding to each preset time granularity, the time sequence diagram of the combination of each sub-interaction spatiotemporal diagram is determined as the target interaction spatiotemporal diagram of the operator's network equipment in chronological order.
[0114] In order to establish a target interaction spatiotemporal graph, after the electronic device acquires each data packet within a preset time range, it determines each target IP address, the target domain name corresponding to each target IP address, and the target location of each target IP address in each data packet within each preset time granularity, based on each data packet corresponding to each preset time granularity within the preset time range.
[0115] In the sub-interaction spatiotemporal graph corresponding to the preset time granularity of the operator's network equipment, entities corresponding to each target IP address, each target domain name, and each target location are created respectively. If a connection is established and data packets are exchanged between any two entities, the two entities are connected to form a connection between the two entities, and the connection characteristics corresponding to the two entities are determined.
[0116] Based on each sub-interaction spatiotemporal diagram corresponding to each preset time granularity, the sub-interaction spatiotemporal diagrams corresponding to each preset time granularity are combined in chronological order to obtain a time sequence diagram, which is then determined as the target interaction spatiotemporal diagram for the operator's network equipment.
[0117] For example, if the preset duration is 1 hour, then the traffic within the 1 hour before the current time is extracted, each data packet in the traffic within the 1 hour is determined, and then with 10 minutes as a preset time granularity, the target domain name corresponding to each target IP address and the target home location of each target IP address are determined for each data packet resolved within each 10 minutes, and a sub-interaction spatiotemporal diagram for each 10 minutes is constructed. The sub-interaction spatiotemporal diagrams for each 10 minutes are arranged in sequence to form a time sequence diagram of length 6 as the target interaction spatiotemporal diagram.
[0118] Example 4:
[0119] To achieve sample enrichment and detection of all types of APT attacks, based on the above embodiments, the method in this embodiment further includes:
[0120] If the target detection result indicates that an APT attack has been detected, then the target interaction spatiotemporal graph and the target detection result of the target interaction spatiotemporal graph are added to the sample set as the first label information;
[0121] Determine whether the time elapsed since the end of the last training session has reached a preset period. If so, retrain the detection model based on the updated sample set.
[0122] If the target detection result indicates that an APT attack has been detected, the target detection result of the target interaction spatiotemporal graph input to the detection model is used as the first label information. The target interaction spatiotemporal graph and the first label information are added to the sample set to obtain the updated sample set.
[0123] To determine whether to retrain the detection model, the electronic device pre-stores a preset period to determine the time elapsed since the last training session of the detection model. If the time elapsed since the last training session has reached the preset period, the detection model is retrained based on the updated sample set. If the time elapsed since the last training session has not reached the preset period, the device continues to acquire each data packet within the next preset time range collected by the operator's network equipment and performs APT attack detection on each data packet within the next preset time range.
[0124] Example 4:
[0125] To update the sample set, based on the above embodiments, in this embodiment of the invention, adding the target interaction spatiotemporal graph and the target detection results of the target interaction spatiotemporal graph as first label information to the sample set includes:
[0126] Based on each first source IP address and each first destination IP address of all first target data packets corresponding to the target interaction spatiotemporal graph, obtain each global data packet sent by the device with each first source IP address and the corresponding first destination IP address within all connection durations, and display each global data packet according to the connection timing relationship;
[0127] The system receives a user's selection operation, determines each target global data packet corresponding to the target connection based on the selection operation, and performs application-layer parsing on each target global data packet using any tool from a pre-saved toolset to obtain the target APT attack program. The target APT attack program and the target detection result are then added to the sample set as first tag information.
[0128] In order to update the sample set, in this embodiment of the invention, all first target data packets are parsed according to all first target data packets corresponding to the target interaction spatiotemporal graph, that is, all first target data packets in each target data packet set, to determine each first source IP address and each first destination IP address.
[0129] For each first source IP address and its corresponding first destination IP address, the system retrieves and stores every global data packet generated by the device with that first source IP address and its corresponding first destination IP address within all connection durations. Each global data packet is then displayed according to the connection sequence, specifically on the electronic device's screen. The duration range of all connections includes a preset duration range and multiple preset duration ranges preceding it.
[0130] After displaying each global data packet for each first source IP address and its corresponding first destination IP address according to the connection sequence, the electronic device receives a user selection operation. Specifically, this could be a press or click operation by the user on each displayed connection. Based on the selection operation, the target connection selected by the user is determined. Application-layer parsing is then performed on each target global data packet corresponding to the target connection. Specifically, any tool from a pre-saved toolset is used to parse each target global data packet; for example, this tool could be a botnet or worm system. This allows the target APT attack program to be obtained. The target APT attack program and the target detection result are then added to the sample set as the first tag information, resulting in an updated sample set. The target APT attack program could be a Trojan, a virus, or a malicious script.
[0131] To update the sample set, in this embodiment of the invention, adding the target APT attack program and the first tag information identifying detected APT attack behavior to the sample set includes:
[0132] Receive the target determination result of the target APT attack program. If the target determination result is that the target APT attack program is a homologous program of the sample APT attack programs in the sample set, then add the target APT attack program and the first tag information that identifies the detected APT attack behavior to the subset of homologous sample APT attack programs in the sample set.
[0133] If the target determination result is that the target APT attack program is a non-originating program of the sample APT attack programs in the sample set, then a new subset is created in the sample set, and the target APT attack program and the first tag information that identifies the detected APT attack behavior are added to the new subset of the sample set.
[0134] After identifying the target APT attack program, the electronic device also needs to analyze the attack behavior of the target APT attack program. Specifically, it uses reverse engineering or sandboxing techniques to simulate and display the specific connection communication and attack process, and receives the target determination result of the target APT attack program. If the target determination result is that the target APT attack program is a homologous program of the sample APT attack programs in the sample set, then the first tag information of the detected APT attack behavior is marked on the target APT attack program, and the target APT attack program and the first tag information are added to the subset of homologous sample APT attack programs in the sample set.
[0135] If the target determination result is that the target APT attack program is a non-originating program of the sample APT attack programs in the sample set, then a new subset is created in the sample set, the first label information of the target APT attack program is marked to indicate the APT attack behavior, and the target APT attack program and the first label information are added to the new subset of the sample set.
[0136] In this embodiment of the invention, the above steps are mainly focused on the end side. By identifying each target data packet of suspicious APT traffic, specific tools are used to further obtain APT attack programs. The APT attack programs that have been manually evaluated are added to the sample set. By repeating the above steps within a preset period, the APT attack programs in the sample set can be enriched. The continuously enriched sample set can further improve the precision and recall of the detection model. Furthermore, by continuously enriching the sample set and further abstracting the behavioral patterns, it is helpful to discover more APT attack programs.
[0137] Example 5:
[0138] To train the detection model, based on the above embodiments, the training process of the detection model in this embodiment includes:
[0139] Obtain any sample interaction spatiotemporal graph and corresponding first label information from a pre-saved sample set, wherein the first label information is used to identify whether the sample interaction spatiotemporal graph corresponds to APT attack behavior;
[0140] The sample interaction spatiotemporal graph is input into the original neural network model to obtain the second label information of the output sample interaction spatiotemporal graph;
[0141] Based on the first label information and the second label information, the parameter values of each parameter of the original neural network model are adjusted to obtain the trained detection model.
[0142] In order to train the detection model, this embodiment of the invention stores a sample set for training. The sample interaction spatiotemporal graph in the sample set includes the interaction spatiotemporal graph composed of entities in the data packets generated during the APT attack process and the interaction spatiotemporal graph composed of entities in the data packets generated during the normal access process. The first label information of the sample interaction spatiotemporal graph in the sample set is pre-annotated by humans, and the first label information is used to identify whether APT attack behavior is detected.
[0143] In this embodiment of the invention, after obtaining any sample interaction spatiotemporal graph and its first label information from the sample set, the sample interaction spatiotemporal graph is input into an original neural network model, which outputs the second label information of the sample interaction spatiotemporal graph. The second label information indicates whether the original neural network model has detected APT attack behavior based on the sample interaction spatiotemporal graph.
[0144] After determining the second label information of the sample interaction spatiotemporal graph based on the original neural network model, the original neural network model is trained based on the second label information and the first label information of the sample interaction spatiotemporal graph to adjust the parameter values of various parameters of the original neural network model.
[0145] The above operation is performed on every sample interaction spatiotemporal graph in the sample set used to train the original neural network model. When a preset condition is met, a trained detection model is obtained. This preset condition may be that the number of sample interaction spatiotemporal graphs in the sample set whose first and second label information matches after training with the original neural network model is greater than a set number; or that the number of iterations for training the original neural network model reaches a set maximum number of iterations, etc. Specifically, this application does not impose any restrictions on this.
[0146] As one possible implementation, when training the original neural network model, the spatiotemporal graph of sample interaction in the sample set can be divided into a training sample interaction spatiotemporal graph and a test sample interaction spatiotemporal graph. The original neural network model is first trained based on the training sample interaction spatiotemporal graph, and then the reliability of the trained detection model is tested based on the test sample interaction spatiotemporal graph.
[0147] In order to obtain the spatiotemporal graph of any sample interaction and the corresponding first label information in the sample set, in this embodiment of the invention, obtaining the pre-saved spatiotemporal graph of any sample interaction and the corresponding first label information includes:
[0148] Obtain a set of sample data packets for any normal access process or a sample APT attack program from a pre-saved sample set;
[0149] Based on each first sample data packet of the network communication process simulated using reverse engineering or sandboxing techniques on the sample APT attack program, a first sample interaction spatiotemporal graph of the sample APT attack program is generated, and the first tag information corresponding to the first sample interaction spatiotemporal graph is set as the tag information for detecting APT attack behavior; or
[0150] Based on each second sample data packet in the sample data packet set, a second sample interaction spatiotemporal graph of the sample data packet set is generated, and the first label information corresponding to the second sample interaction spatiotemporal graph is set as the label information of no APT attack behavior detected.
[0151] In order to train the detection model, the sample set contains a set of sample data packets of multiple normal access processes and a set of sample APT attack programs. The electronic device can obtain any set of sample data packets or sample APT attack programs from the sample set.
[0152] If a sample APT attack program is obtained, it is reproduced using reverse engineering or sandboxing techniques to simulate each first sample data packet in the network communication process. Based on each first sample data packet and the domain name, IP address, and location resolved from each first sample data packet, a first sample interaction spatiotemporal graph of the sample APT attack program is generated. The first label information corresponding to the first sample interaction spatiotemporal graph is set as the label information for detecting APT attack behavior.
[0153] If a set of sample data packets from a normal access process is obtained, each second sample data packet in the sample data packet set is parsed. Based on the domain name, IP address, and location parsed from each second sample data packet, a second sample interaction spatiotemporal graph of the sample data packet set is generated. The first label information corresponding to the second sample interaction spatiotemporal graph is set as the label information indicating that no APT attack behavior was detected.
[0154] Example 6:
[0155] To train the screening model, based on the above embodiments, the training process of the screening model in this embodiment of the invention includes:
[0156] Obtain the feature vector and first label information of any sample in the pre-saved sample set;
[0157] The sample feature vector is input into the original screening model to obtain the third label information of the output sample feature vector;
[0158] Based on the first label information and the third label information, the parameter values of each parameter of the original screening model are adjusted to obtain the trained screening model.
[0159] To train the screening model, this embodiment of the invention stores a sample set for training. The sample feature vectors in this set include feature vectors of network features from data packets generated during an APT attack and feature vectors of network features from data packets generated during normal access. The first label information is used to identify whether suspected APT attack behavior has been detected.
[0160] In this embodiment of the invention, after obtaining any sample feature vector and its first label information from the sample set, the sample feature vector is input into an original screening model, which outputs the second label information of the sample feature vector. The second label information indicates whether the original screening model has detected suspected APT attack behavior.
[0161] After determining the second label information of the sample feature vector based on the original screening model, the original screening model is trained based on the second label information and the first label information of the sample feature vector to adjust the parameter values of various parameters of the original screening model.
[0162] The above operation is performed on each sample feature vector in the sample set used to train the original screening model. When a preset condition is met, a trained screening model is obtained. This preset condition may be that the number of sample feature vectors in the sample set whose first label information matches their second label information after training with the original screening model is greater than a set number; or that the number of iterations for training the original screening model reaches a set maximum number of iterations, etc. Specifically, this embodiment of the invention does not impose limitations on these aspects.
[0163] As one possible implementation, when training the original screening model, the sample feature vectors in the sample set can be divided into training sample feature vectors and test sample feature vectors. The original screening model is first trained based on the training sample feature vectors, and then the reliability of the trained screening model is tested based on the test sample feature vectors.
[0164] In order to obtain any sample feature vector and first label information, in this embodiment of the invention, obtaining any sample feature vector and first label information from a pre-saved sample set includes:
[0165] Obtain a set of sample data packets for any normal access process or a sample APT attack program from a pre-saved sample set;
[0166] Based on each first sample data packet from the network communication process simulated using reverse engineering or sandboxing techniques on the sample APT attack program, information about the network characteristics of each first sample data packet is obtained. First sample data packets with identical traffic aggregation characteristics are aggregated into sets of first sample data packets according to the preset time granularity. A first sample feature vector for each network characteristic of each first sample data packet set is generated. The first tag information corresponding to each first sample data packet set is set as tag information indicating the detection of suspected APT attack behavior; or
[0167] Based on each second sample data packet in the sample data packet set, obtain the network feature information of each second sample data packet, aggregate each second sample data packet with the same traffic aggregation feature information into each second sample data packet set according to the preset time granularity, generate each second sample feature vector of the network feature of each second sample data packet set, and set the first label information corresponding to each second sample data packet set as the label information of no suspected APT attack behavior detected.
[0168] In order to train the screening model, the electronic device pre-stores a sample set containing multiple sets of sample data packets of normal access processes and multiple sample APT attack programs. The electronic device can obtain any set of sample data packets or sample APT attack programs from the sample set.
[0169] If a sample APT attack program is obtained, it is reproduced using reverse engineering or sandboxing techniques to simulate each first sample data packet in the network communication process. Each first sample data packet within each preset time granularity is then parsed to obtain information on the network characteristics of each first sample data packet within each preset time granularity.
[0170] For each preset time granularity, based on the network feature information of each first sample data packet within the preset time granularity, each first sample data packet with the same traffic aggregation feature information is determined and aggregated into each first sample data packet set according to the preset time granularity. Based on the network feature information in each first sample data packet set, each first sample feature vector of the network feature of each first sample data packet set is generated, and the first label information corresponding to each first sample data packet set is set as the label information for detecting suspected APT attack behavior.
[0171] If a set of sample data packets from a normal access process is obtained, network feature information for each second sample data packet within a preset time granularity is obtained based on each second sample data packet in the sample data packet set. For each preset time granularity, based on the network feature information of each second sample data packet within that preset time granularity, each second sample data packet with the same traffic aggregation feature information is determined and aggregated into a set of second sample data packets according to the preset time granularity. Based on the network feature information in each set of second sample data packets, a second sample feature vector for each network feature of each set of second sample data packets is generated, and the first label information corresponding to each set of second sample data packets is set as the label information indicating that no suspected APT attack behavior has been detected.
[0172] In this embodiment of the invention, the above steps are mainly focused on the end side. By analyzing the samples in the sample set on the end side, the target feature vector and spatiotemporal interaction graph of the network features are determined, and the training of the screening model and the detection model is completed.
[0173] In summary, this invention provides a global and universal method for detecting APT attack behavior. By comprehensively utilizing the advantages of in-depth sample analysis and accurate feature extraction from the endpoint sample set, and the comprehensive big data perspective and high modeling accuracy from the network side, a closed loop of "end-network-end" identification and analysis is formed, continuously and effectively identifying and establishing a rich sample library of APT attack programs in the sample set.
[0174] Example 7:
[0175] Figure 5 This is a schematic diagram of another APT attack behavior detection method provided in an embodiment of the present invention, as shown below. Figure 5 As shown, the process includes the following steps:
[0176] S501: Obtain sample APT attack programs from the sample group of the sample set.
[0177] S502: Reproduces attack scenarios using reverse engineering / sandboxing techniques to obtain each first sample data packet of the simulated network communication process.
[0178] S503: Determine the first sample interaction spatiotemporal graph and the first sample feature vector of the network features of each first sample data packet set based on each first sample data packet set; obtain the sample data packet set of the normal access process in the control group of the sample set, and determine the second sample feature vector of the network features of each second sample data packet set and the second sample interaction spatiotemporal graph; train the model, which includes a screening model and a detection model.
[0179] S504: Obtain each data packet within a preset time range from the network-wide dataset collected by the operator's network equipment, and determine each set of data packets that meets the preset aggregation conditions at each preset time granularity, and generate each target feature vector for each set of data packets.
[0180] S505: Input each target feature vector into the screening model to determine the set of target data packets corresponding to the target feature vectors that are initially detected as suspected APT attack behaviors, and parse each target data packet in each target data packet set to obtain the target interaction spatiotemporal graph; input the target interaction spatiotemporal graph into the detection model to determine the target detection result.
[0181] S506: If the target detection result indicates that an APT attack has been detected, then based on each first source IP address and each first destination IP address of the first target data packet in each target data packet set, obtain each global data packet sent by the device that stores each first source IP address and its corresponding first destination IP address within all connection time ranges, and display each global data packet according to the connection time sequence.
[0182] S507: Receive the user's selection operation, determine each target global data packet corresponding to the target connection according to the selection operation, and use any tool in the pre-saved toolset to perform application layer parsing on each target global data packet to obtain the target APT attack program. Add the target APT attack program and the target detection result as the first label information to the sample set, and re-execute S501 when the time from the current time to the end of the last training reaches a preset period.
[0183] Because this invention combines the advantages of end-to-end network fusion analysis, while leveraging the fine granularity and accurate feature capture of end-side analysis and the comprehensive network-side perspective, and based on the high accuracy and recall of big data and refined models, it proposes for the first time a comprehensive set of network-end linkage methods for the discovery and source analysis of APT attacks from a higher level, from the perspective of basic network operators. Furthermore, it does not provide discovery and tracing methods for a single APT attack pattern, but rather offers a unified technical solution with good versatility, applicable to almost all APT attacks that rely on network communication. In addition, it possesses an end-to-end analysis feedback loop, and the entire system has the ability and advantage of continuous self-evolution. Utilizing the advantages of big data deep learning modeling, as APT attack programs are continuously enriched, the model can be continuously retrained and updated, ensuring continuous improvement in core indicators such as accuracy and recall. This overcomes the shortcomings of previous technical solutions based on simple thresholds and linear weighting, which were ineffective, and has strong practicality.
[0184] Example 7:
[0185] The following is a specific embodiment of an APT attack detection method of the present invention. Based on a malicious script captured in advance using honeypot technology, the malicious script is used as a sample APT attack program and added to the sample set. The detection model is trained using the time-interaction graph obtained from the attack process of the malicious script. This allows the detection of sibling samples and variants of the malicious script, and the determination of whether these sibling samples all come from the same APT organization.
[0186] 1. The malicious script was reproduced using reverse engineering / sandboxing techniques to simulate the network communication process. Specifically, sandboxing techniques were used to observe the malicious script's detection, privilege escalation, contamination, control, command flow, and principles in a test environment. The simulated network communication process of the malicious script is as follows:
[0187] Taking the process of organization A attacking company B as an example:
[0188] (1) Organization A built a malicious image website (web) service and used DNS to access it (xxx.a.com);
[0189] (2) The attacking device logged into Company B's external website (b.com) and obtained information posted by employees;
[0190] (3) Employee Xiao Zhang's device received a fake web link from another employee Xiao Li's device via email (smtp.b.com), which pointed to a malicious website;
[0191] (4) Xiao Zhang's device receives the operation of clicking the network link, and connects to the malicious website through DNS resolution of the IP; the website page loads a program containing shellcode, causing the browser to overflow, execute the File Transfer Protocol (FTP) to download, and access ftp.c.com; the malicious script is implanted into Xiao Zhang's device;
[0192] (5) Malicious scripts are executed to gain access to Xiao Zhang's device. Xiao Zhang's device then contacts C2 (IP: 202.101.xx) and continuously listens for information such as the account password of Xiao Zhang's device when accessing the email server.
[0193] (6) The attacking device uses the information obtained to log in to the email server and obtain a large amount of sensitive email content.
[0194] 2. For data packets in the network communication process of malicious scripts, extract network features and organize the following features according to connection sequence relationships:
[0195] (1) IP1 connects to smtp.b.com:465 to send and receive emails.
[0196] (2) IP1 accesses DNS and resolves IP2 of xxx.a.com.
[0197] (3) IP1 connects to IP2 via HTTP / HTTPS.
[0198] (4) IP1 accesses DNS and resolves IP3 of ftp.c.com.
[0199] (5) IP1 connects to IP3 via FTP and a large amount of data is exchanged.
[0200] (6) IP1 is connected to IP4 of C2 to send heartbeat signals periodically.
[0201] (7) It was discovered that ip5 initiated a large number of abnormal access and download behaviors against mail.b.com.
[0202] 3. Train the model offline:
[0203] By extracting normal access behaviors related to the above process (such as accessing email servers) from historical data across the entire network of telecom operators, these behaviors serve as a control group for training the model. The trained model is obtained through the sample group and the control group, and is then used for subsequent network-side identification. This model consists of two layers: a screening model and a detection model.
[0204] (1) Use a high-performance screening model to quickly identify and filter data packets that account for more than 95% of normal traffic. For example, the screening model can be a decision tree model.
[0205] (2) A detection model with stronger descriptive power and criterion-call capability is used for refined classification and recognition. As mentioned above, a preset time range and an interactive spatiotemporal graph are used as the modeling basis. The detection model extracts spatial and temporal features respectively and outputs the final judgment classification detection results. The detection model is a deep learning model.
[0206] 4. Use the data packets of traffic captured from the entire network to perform feature extraction and model detection.
[0207] The trained model is used to filter out attack behaviors that are very similar to those of known malicious scripts, and the APT attack programs corresponding to these behaviors are suspected of having a strong common origin with known APT attack programs.
[0208] For example, it was discovered that employee Xiao Wang's host IP was also subjected to a similar attack. At the same time, by utilizing the generalization ability of the model, another company was also located to have received a similar attack, suspected to be the work of the same APT group.
[0209] 5. For abnormal traffic suspected of being an APT attack output by the model, sample extraction and analysis are performed using edge-side techniques.
[0210] By combining current sample replay and capture systems, the target APT attack program can be further recovered and confirmed:
[0211] (1) For Xiao Wang's device, observe the detailed traffic of Xiao Wang accessing malicious websites; recover the downloaded file samples from it.
[0212] (2) Perform edge behavior analysis on the target APT attack program.
[0213] (3) Based on the end-side behavior analysis, it was determined that the target APT attack program on Xiao Wang's device was a variant of a malicious script from the same APT organization, thus completing the same-origin detection.
[0214] 6. Add the newly discovered target APT attack programs and attack patterns to the attack sample library for further processing.
[0215] (1) Add the confirmed target APT attack program to the sample set and classify it to determine the APT organization to which the target APT attack program belongs and the subset corresponding to the attack type.
[0216] (2) Repeat the above process, using in-depth analysis of end-side samples and a global perspective of the network side to continuously locate and discover new APT attack patterns; at the same time, as samples accumulate, the detection capability of the model is continuously improved.
[0217] Example 8:
[0218] Figure 6 A schematic diagram of the structure of an Advanced Persistent Threat (APT) attack behavior detection device provided in an embodiment of the present invention is shown below. Figure 6 As shown, the device includes:
[0219] The training module 601 is used to obtain the spatiotemporal graph of any sample interaction in the pre-saved sample set and the corresponding first label information, and to adjust the parameter values of each parameter of the original neural network model to obtain the trained detection model.
[0220] The acquisition module 602 is used to acquire each data packet within a preset time range collected by the operator's network equipment, parse each IP address from all data packets, and determine the domain name corresponding to each IP address and the location of each IP address.
[0221] The processing module 603 is used to create entities corresponding to domain names, IP addresses and home locations respectively in the target interaction spatiotemporal graph of the operator network equipment. If a connection is established or data packets are exchanged between any two entities, the two entities are connected and the connection characteristics corresponding to the two connected entities are determined.
[0222] The detection module 604 is used to obtain the target detection result of whether APT attack behavior is detected after the target interaction spatiotemporal graph is input into the detection model based on the pre-trained detection model.
[0223] Furthermore, the acquisition module 602 is also used to acquire network feature information based on each data packet within a preset time granularity within the preset time range after acquiring each data packet collected by the operator's network equipment, and before parsing each IP address from all data packets and determining the domain name and location of each IP address. It then aggregates each target data packet with the same traffic aggregation feature information in the network features into a data packet set according to the preset time granularity, generating each target feature vector of the network features for each data packet set. The network features include traffic aggregation features, metadata features, and the number of data packets and bytes within the preset time granularity. The traffic aggregation features include source IP address, destination IP address, transport layer protocol, and application. The metadata features include at least one of the following: layer protocol, port number, specific tag meaning carried by the HTTP address, keywords of the DNS domain name, and links of emails transmitted in the form of data packets; based on a pre-trained filtering model, the preliminary detection result of whether a suspected APT attack is detected is obtained after each target feature vector is input into the filtering model; if there is a target feature vector in each target feature vector of each data packet set within the preset time range that has a preliminary detection result of suspected APT attack, then for each target data packet set corresponding to the target feature vector with a preliminary detection result of suspected APT attack, the steps of parsing each IP address from all first target data packets in each target data packet set and determining the domain name corresponding to each IP address and the location of each IP address are executed.
[0224] Further, the processing module 603 is specifically used to create entities corresponding to the target domain name, target IP address, and target location in the sub-interaction spatiotemporal diagram corresponding to the preset time granularity within the preset time range, based on the target domain name corresponding to each target IP address and the target location of each target IP address within the preset time granularity. If a connection is established or data packets are exchanged between any two entities, the two entities are connected and the connection characteristics corresponding to the two connected entities are determined. Based on each sub-interaction spatiotemporal diagram corresponding to each preset time granularity, the time sequence diagram of the combination of each sub-interaction spatiotemporal diagram is determined as the target interaction spatiotemporal diagram of the operator network device in chronological order.
[0225] Furthermore, the device also includes:
[0226] The update module 605 is used to add the target interaction spatiotemporal graph and the target detection result of the target interaction spatiotemporal graph as the first label information to the sample set if the target detection result is that APT attack behavior is detected; determine whether the time from the current time to the end of the last training has reached a preset period, and if so, retrain the detection model according to the updated sample set.
[0227] Further, the update module 605 is specifically used to obtain, based on each first source IP address and each first destination IP address of all first target data packets corresponding to the target interaction spatiotemporal graph, each global data packet sent by the device corresponding to each first source IP address and each first destination IP address within all connection durations, and display each global data packet according to the connection timing relationship; receive the user's selection operation, determine each target global data packet corresponding to the target connection according to the selection operation, and use any tool in the pre-saved toolset to perform application layer parsing on each target global data packet to obtain the target APT attack program, and add the target APT attack program and the target detection result as first tag information to the sample set.
[0228] Further, the update module 605 is specifically used to receive the target determination result of the target APT attack program. If the target determination result indicates that the target APT attack program is a homologous program of the sample APT attack programs in the sample set, then the target APT attack program and the first tag information identifying detected APT attack behavior are added to the subset of homologous sample APT attack programs in the sample set. If the target determination result indicates that the target APT attack program is a non-homologous program of the sample APT attack programs in the sample set, then a new subset is created in the sample set, and the target APT attack program and the first tag information identifying detected APT attack behavior are added to the newly created subset of the sample set.
[0229] Further, the training module 601 is used to acquire any sample interaction spatiotemporal graph and corresponding first label information from a pre-saved sample set, wherein the first label information is used to identify whether the sample interaction spatiotemporal graph corresponds to APT attack behavior; input the sample interaction spatiotemporal graph into the original neural network model, and acquire the second label information of the output sample interaction spatiotemporal graph; adjust the parameter values of each parameter of the original neural network model according to the first label information and the second label information to obtain the trained detection model.
[0230] Further, the training module 601 is specifically used to acquire a set of sample data packets or sample APT attack programs for any normal access process in a pre-saved sample set; generate a first sample interaction spatiotemporal graph of the sample APT attack program based on each first sample data packet of the network communication process simulated by reverse engineering or sandboxing technology for the sample APT attack program, and set the first label information corresponding to the first sample interaction spatiotemporal graph as label information for detecting APT attack behavior; or generate a second sample interaction spatiotemporal graph of the sample data packet set based on each second sample data packet in the sample data packet set, and set the first label information corresponding to the second sample interaction spatiotemporal graph as label information for not detecting APT attack behavior.
[0231] Furthermore, the training module 601 is used to obtain the feature vector of any sample in the pre-saved sample set and the first label information; input the sample feature vector into the original screening model to obtain the third label information of the output sample feature vector; and adjust the parameter values of each parameter of the original screening model according to the first label information and the third label information to obtain the trained screening model.
[0232] Further, the training module 601 is specifically used to obtain a set of sample data packets or sample APT attack programs for any normal access process in a pre-saved sample set; based on each first sample data packet of a network communication process simulated by reverse engineering or sandboxing technology on the sample APT attack program, obtain the network feature information of each first sample data packet within each preset time granularity; aggregate each first sample data packet with the same traffic aggregation feature information into each first sample data packet set according to the preset time granularity, generate each first sample feature vector of the network feature of each first sample data packet set, and set the first label information corresponding to each first sample data packet set as the label information for detecting APT attack behavior; or based on each second sample data packet in the sample data packet set, obtain the network feature information of each second sample data packet within each preset time granularity; aggregate each second sample data packet with the same traffic aggregation feature information into each second sample data packet set according to the preset time granularity, generate each second sample feature vector of the network feature of each second sample data packet set, and set the first label information corresponding to each second sample data packet set as the label information for not detecting APT attack behavior.
[0233] Figure 7 A schematic diagram of another advanced persistent threat (APT) attack behavior detection device provided in an embodiment of the present invention is shown below. Figure 7As shown, the device includes: an active / passive behavior detection module 701, a feature extraction / modeling module 702, a traffic capture module 703, and an end-side sample capture module 704.
[0234] The active / passive behavior detection module 701 is used to obtain captured sample APT attack programs from the sample set, reproduce them using reverse engineering / sandboxing and other detection methods, simulate each first sample data packet of the network communication process, and extract attack behavior features; the feature extraction / modeling module 702 is used to train the screening model and detection model in the two-layer model based on the attack behavior features obtained from the active / passive behavior detection module 701. The active / passive behavior detection module 701 and the feature extraction / modeling module 702 are equivalent to the training module 601 in this embodiment of the invention.
[0235] The traffic capture module 703 is used to acquire each data packet of network traffic collected by the operator's network equipment across the entire network, and determine the target detection result based on the two-layer model, thereby identifying all first target data packets of suspicious APT traffic of APT attack behavior, which is equivalent to the acquisition module 602, processing module 603 and detection module 604 in the embodiment of the present invention.
[0236] The end-side sample capture module 704 is used to obtain the complete target APT attack program, such as pcap data, based on all first target data packets of suspicious APT traffic obtained from the traffic capture module 703, using methods such as mobile malware and botnets. It is equivalent to the update module 605 in this embodiment of the invention.
[0237] Example 8:
[0238] Figure 8 This is a schematic diagram of an electronic device structure provided by an embodiment of the present invention. Based on the above embodiments, this invention also provides an electronic device, such as... Figure 8 As shown, it includes: processor 801, communication interface 802, memory 803 and communication bus 804, wherein processor 801, communication interface 802 and memory 803 communicate with each other through communication bus 804.
[0239] The memory 803 stores a computer program, which, when executed by the processor 801, causes the processor 801 to perform the steps of the Advanced Persistent Threat (APT) attack behavior detection method in the above embodiments.
[0240] The communication bus mentioned in the above electronic devices can be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc. This communication bus can be divided into address bus, data bus, control bus, etc. For ease of illustration, only one thick line is used to represent it in the diagram, but this does not mean that there is only one bus or one type of bus.
[0241] Communication interface 802 is used for communication between the above-mentioned electronic device and other devices.
[0242] The memory may include random access memory (RAM) or non-volatile memory (NVM), such as at least one disk storage device. Optionally, the memory may also be at least one storage device located remotely from the aforementioned processor.
[0243] The processors mentioned above can be general-purpose processors, including central processing units, network processors (NPs), etc.; they can also be digital signal processors (DSPs), application-specific integrated circuits, field-programmable gate arrays or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
[0244] Example 9:
[0245] Based on the above embodiments, this application also provides a computer-readable storage medium storing a computer program executable by a processor. When the program is run on the processor, it causes the processor to execute the steps of the Advanced Persistent Threat (APT) attack behavior detection method in the above embodiments.
[0246] Those skilled in the art will understand that embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0247] This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to this application. It should be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0248] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0249] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0250] Obviously, those skilled in the art can make various modifications and variations to this application without departing from the spirit and scope of this application. Therefore, if such modifications and variations fall within the scope of the claims of this application and their equivalents, this application also intends to include such modifications and variations.
Claims
1. An advanced persistent threat (APT) attack behavior detection method, characterized in that, The method includes: Obtain the spatiotemporal graph of any sample interaction and the corresponding first label information from a pre-saved sample set, adjust the parameter values of each parameter of the original neural network model, and obtain the trained detection model; wherein, the sample interaction spatiotemporal graph is created based on the entities corresponding to the domain name, IP address and location in the data packet, as well as the connection relationships between the entities; Acquire each data packet within a preset time range collected by the operator's network equipment, parse each IP address from all data packets, and determine the domain name corresponding to each IP address and the location of each IP address; In the target interaction spatiotemporal graph of the operator's network equipment, entities corresponding to domain names, IP addresses, and home locations are created respectively. If a connection is established or data packets are exchanged between any two IP address entities, the two IP address entities are connected, and the connection characteristics corresponding to the two connected IP address entities are determined. For each IP address entity, if the IP address entity has a corresponding domain name entity, the IP address entity and the corresponding domain name entity are connected, and the connection characteristics between the IP address entity and the corresponding domain name entity are determined. If the IP address entity has a corresponding home location entity, the IP address entity and the corresponding home location entity are connected, and the connection characteristics between the IP address entity and the corresponding home location entity are determined. Based on the pre-trained detection model, the target detection result, which indicates whether APT attack behavior was detected, is obtained after the target interaction spatiotemporal graph is input into the detection model.
2. The method of claim 1, wherein, After acquiring each data packet within a preset time range collected by the operator's network equipment, and before parsing each IP address from all data packets and determining the domain name corresponding to each IP address and the location of each IP address, the method further includes: Information about network features is obtained for each data packet within each preset time granularity within the preset time range. Each target data packet with the same traffic aggregation feature information in the network features is aggregated into a data packet set according to the preset time granularity. Each target feature vector of the network features in each data packet set is generated. The network features include traffic aggregation features, metadata features, and the number of data packets and bytes within the preset time granularity. The traffic aggregation features include source IP address, destination IP address, transport layer protocol, application layer protocol, and port number. The metadata features include at least one of the following: specific tag meaning carried by the HTTP address, keywords of the DNS domain name, and links of emails transmitted in the form of data packets. Based on the pre-trained screening model, obtain the preliminary detection result of whether suspected APT attack behavior is detected after each target feature vector is input into the screening model; If there is a target feature vector in each target feature vector of each data packet set within the preset time range that initially indicates a suspected APT attack, then for each target data packet set corresponding to the target feature vector that initially indicates a suspected APT attack, the steps of parsing each IP address from all first target data packets in each target data packet set and determining the domain name corresponding to each IP address and the location of each IP address are executed.
3. The method of claim 2, wherein, The entities corresponding to domain names, IP addresses, and home locations are created respectively in the target interaction spatiotemporal graph of the operator's network equipment. If a connection is established or data packets are exchanged between any two entities, the connection features corresponding to the two connected entities include: For each preset time granularity within the preset time range, based on the target domain name corresponding to each target IP address and the target home location of each target IP address within the preset time granularity, entities corresponding to the target domain name, target IP address and target home location are created respectively in the sub-interaction spatiotemporal graph corresponding to the preset time granularity of the operator network device. If a connection is established or data packets are exchanged between any two entities, the two entities are connected and the connection characteristics corresponding to the two connected entities are determined. Based on each sub-interaction spatiotemporal diagram corresponding to each preset time granularity, the time sequence diagram of the combination of each sub-interaction spatiotemporal diagram is determined as the target interaction spatiotemporal diagram of the operator's network equipment in chronological order.
4. The method of claim 3, wherein, The method further includes: If the target detection result indicates that an APT attack has been detected, then the target interaction spatiotemporal graph and the target detection result of the target interaction spatiotemporal graph are added to the sample set as the first label information; Determine whether the time elapsed since the end of the last training session has reached a preset period. If so, retrain the detection model based on the updated sample set.
5. The method of claim 4, wherein, The step of adding the target interaction spatiotemporal graph and the target detection results of the target interaction spatiotemporal graph as first label information to the sample set includes: Based on each first source IP address and each first destination IP address of all first target data packets corresponding to the target interaction spatiotemporal graph, obtain each global data packet sent by the device with each first source IP address and the corresponding first destination IP address within all connection durations, and display each global data packet according to the connection timing relationship; The system receives a user's selection operation, determines each target global data packet corresponding to the target connection based on the selection operation, and performs application-layer parsing on each target global data packet using any tool from a pre-saved toolset to obtain the target APT attack program. The target APT attack program and the target detection result are then added to the sample set as first tag information.
6. The method of claim 5, wherein, The step of adding the target APT attack program and the first tag information identifying the detected APT attack behavior to the sample set includes: Receive the target determination result of the target APT attack program. If the target determination result is that the target APT attack program is a homologous program of the sample APT attack programs in the sample set, then add the target APT attack program and the first tag information that identifies the detected APT attack behavior to the subset of homologous sample APT attack programs in the sample set. If the target determination result is that the target APT attack program is a non-originating program of the sample APT attack programs in the sample set, then a new subset is created in the sample set, and the target APT attack program and the first tag information that identifies the detected APT attack behavior are added to the new subset of the sample set.
7. The method of claim 1, wherein, The training process of the detection model includes: Obtain any sample interaction spatiotemporal graph and corresponding first label information from a pre-saved sample set, wherein the first label information is used to identify whether the sample interaction spatiotemporal graph corresponds to APT attack behavior; The sample interaction spatiotemporal graph is input into the original neural network model to obtain the second label information of the output sample interaction spatiotemporal graph; Based on the first label information and the second label information, the parameter values of each parameter of the original neural network model are adjusted to obtain the trained detection model.
8. The method of claim 7, wherein, The step of obtaining the spatiotemporal graph of any sample interaction in the pre-saved sample set and the corresponding first label information includes: Obtain a set of sample data packets for any normal access process or a sample APT attack program from a pre-saved sample set; Based on each first sample data packet of the network communication process simulated using reverse engineering or sandboxing techniques on the sample APT attack program, a first sample interaction spatiotemporal graph of the sample APT attack program is generated, and the first tag information corresponding to the first sample interaction spatiotemporal graph is set as the tag information for detecting APT attack behavior; or Based on each second sample data packet in the sample data packet set, a second sample interaction spatiotemporal graph of the sample data packet set is generated, and the first label information corresponding to the second sample interaction spatiotemporal graph is set as the label information of no APT attack behavior detected.
9. The method of claim 2, wherein, The training process of the screening model includes: Obtain the feature vector and first label information of any sample in the pre-saved sample set; The sample feature vector is input into the original screening model to obtain the third label information of the output sample feature vector; Based on the first label information and the third label information, the parameter values of each parameter of the original screening model are adjusted to obtain the trained screening model.
10. The method according to claim 9, characterized in that, The step of obtaining the feature vector and first label information of any sample in the pre-saved sample set includes: Obtain a set of sample data packets for any normal access process or a sample APT attack program from a pre-saved sample set; Based on each first sample data packet of the network communication process simulated using reverse engineering or sandboxing techniques on the sample APT attack program, network feature information of each first sample data packet within each preset time granularity is obtained. First sample data packets with the same traffic aggregation feature information are aggregated into each first sample data packet set according to the preset time granularity, generating each first sample feature vector of the network features of each first sample data packet set. The first tag information corresponding to each first sample data packet set is set as tag information for detecting suspected APT attack behavior; or Based on each second sample data packet in the sample data packet set, obtain the network feature information of each second sample data packet within each preset time granularity, aggregate each second sample data packet with the same traffic aggregation feature information into each second sample data packet set according to the preset time granularity, generate each second sample feature vector of the network feature of each second sample data packet set, and set the first label information corresponding to each second sample data packet set as the label information of no suspected APT attack behavior detected.
11. A device for detecting Advanced Persistent Threat (APT) attack behavior, characterized in that, The device includes: The training module is used to acquire the spatiotemporal graph of any sample interaction and the corresponding first label information from a pre-saved sample set, and adjust the parameter values of each parameter of the original neural network model to obtain the trained detection model; wherein, the sample interaction spatiotemporal graph is created based on the entities corresponding to the domain name, IP address, and location in the data packet, as well as the connection relationships between the entities. The acquisition module is used to acquire each data packet within a preset time range collected by the operator's network equipment, parse each IP address from all data packets, and determine the domain name corresponding to each IP address and the location of each IP address. The processing module is configured to create entities corresponding to domain names, IP addresses, and home locations in the target interaction spatiotemporal graph of the operator's network equipment, respectively. If a connection is established or data packets are exchanged between any two IP address entities, the module connects the two IP address entities and determines the connection characteristics corresponding to the connected two IP address entities. For each IP address entity, if the IP address entity has a corresponding domain name entity, the module connects the IP address entity with the corresponding domain name entity and determines the connection characteristics between the IP address entity and the corresponding domain name entity. If the IP address entity has a corresponding home location entity, the module connects the IP address entity with the corresponding home location entity and determines the connection characteristics between the IP address entity and the corresponding home location entity. The detection module is used to obtain the target detection result, which indicates whether APT attack behavior has been detected, after the target interaction spatiotemporal graph is input into the detection model, based on a pre-trained detection model.
12. The apparatus according to claim 11, characterized in that, The acquisition module is further configured to, after acquiring each data packet collected by the operator's network equipment within a preset time range, and before parsing each IP address from all data packets and determining the domain name corresponding to each IP address and the location of each IP address, acquire network feature information based on each data packet within each preset time granularity in the preset time range, aggregate each target data packet with the same traffic aggregation feature information in the network features into each data packet set according to the preset time granularity, and generate each target feature vector of the network features for each data packet set. The network features include traffic aggregation features, metadata features, and the number of data packets and bytes within the preset time granularity. The traffic aggregation features include source IP address, destination IP address, transport layer protocol, application layer protocol, and port number. The metadata features include at least one of the following: specific tag meaning carried by the HTTP address, keywords of the DNS domain name, and links of emails transmitted in the form of data packets. Based on the pre-trained screening model, the preliminary detection result of whether a suspected APT attack was detected is obtained after each target feature vector is input into the screening model; if there is a target feature vector in each target feature vector of each data packet set within the preset time range that has a preliminary detection result of a suspected APT attack, then for each target data packet set corresponding to the target feature vector with a preliminary detection result of a suspected APT attack, the steps of parsing each IP address from all first target data packets in each target data packet set and determining the domain name corresponding to each IP address and the location of each IP address are executed.
13. The apparatus according to claim 12, characterized in that, The processing module is specifically used to create entities corresponding to the target domain name, target IP address, and target location in the sub-interaction spatiotemporal graph corresponding to the preset time granularity within the preset time range, based on the target domain name corresponding to each target IP address and the target location of each target IP address within the preset time granularity. If a connection is established or data packets are exchanged between any two entities, the two entities are connected and the connection characteristics corresponding to the two connected entities are determined. Based on each sub-interaction spatiotemporal graph corresponding to each preset time granularity, the time sequence graph combining the sub-interaction spatiotemporal graphs in chronological order is determined as the target interaction spatiotemporal graph of the operator network device.
14. The apparatus according to claim 13, characterized in that, The device further includes: The update module is used to add the target interaction spatiotemporal graph and the target detection result of the target interaction spatiotemporal graph as the first label information to the sample set if the target detection result is that APT attack behavior is detected; determine whether the time from the current time to the end of the last training has reached a preset period, and if so, retrain the detection model according to the updated sample set.
15. The apparatus according to claim 14, characterized in that, The update module is specifically configured to: obtain, based on each first source IP address and each first destination IP address of all first target data packets corresponding to the target interaction spatiotemporal graph, acquire each global data packet sent by the device corresponding to each first source IP address and each first destination IP address within all connection durations, display each global data packet according to the connection timing relationship; receive the user's selection operation, determine each target global data packet corresponding to the target connection based on the selection operation, and perform application layer parsing on each target global data packet using any tool in the pre-saved toolset to obtain the target APT attack program, and add the target APT attack program and the target detection result as first tag information to the sample set.
16. The apparatus according to claim 15, characterized in that, The update module is specifically used to receive the target determination result of the target APT attack program. If the target determination result is that the target APT attack program is a homologous program of the sample APT attack programs in the sample set, then the target APT attack program and the first tag information that identifies the detected APT attack behavior are added to the subset of homologous sample APT attack programs in the sample set. If the target determination result is that the target APT attack program is a non-originating program of the sample APT attack programs in the sample set, then a new subset is created in the sample set, and the target APT attack program and the first tag information that identifies the detected APT attack behavior are added to the new subset of the sample set.
17. The apparatus according to claim 11, characterized in that, The device further includes: The training module is used to acquire any sample interaction spatiotemporal graph and corresponding first label information from a pre-saved sample set, wherein the first label information is used to identify whether the sample interaction spatiotemporal graph corresponds to APT attack behavior; input the sample interaction spatiotemporal graph into the original neural network model, and acquire the second label information of the output sample interaction spatiotemporal graph; adjust the parameter values of each parameter of the original neural network model according to the first label information and the second label information to obtain the trained detection model.
18. The apparatus according to claim 17, characterized in that, The training module is specifically used to acquire a set of sample data packets or sample APT attack programs for any normal access process in a pre-saved sample set; generate a first sample interaction spatiotemporal graph of the sample APT attack program based on each first sample data packet of the network communication process simulated by reverse engineering or sandboxing technology for the sample APT attack program, and set the first label information corresponding to the first sample interaction spatiotemporal graph as label information indicating that APT attack behavior has been detected; or generate a second sample interaction spatiotemporal graph of the sample data packet set based on each second sample data packet in the sample data packet set, and set the first label information corresponding to the second sample interaction spatiotemporal graph as label information indicating that no APT attack behavior has been detected.
19. The apparatus according to claim 12, characterized in that, The device further includes: The training module is used to obtain the feature vector and first label information of any sample in the pre-saved sample set; input the sample feature vector into the original screening model to obtain the third label information of the output sample feature vector; and adjust the parameter values of each parameter of the original screening model according to the first label information and the third label information to obtain the trained screening model.
20. The apparatus according to claim 19, characterized in that, The training module is specifically used to acquire a set of sample data packets or sample APT attack programs for any normal access process in a pre-saved sample set; based on each first sample data packet of a network communication process simulated by reverse engineering or sandboxing technology on the sample APT attack program, acquire the network feature information of each first sample data packet within a preset time granularity; aggregate each first sample data packet with the same traffic aggregation feature information into each first sample data packet set according to the preset time granularity, generate each first sample feature vector of the network feature of each first sample data packet set, and set the first label information corresponding to each first sample data packet set as the label information for detecting APT attack behavior; or based on each second sample data packet in the sample data packet set, acquire the network feature information of each second sample data packet within a preset time granularity; aggregate each second sample data packet with the same traffic aggregation feature information into each second sample data packet set according to the preset time granularity, generate each second sample feature vector of the network feature of each second sample data packet set, and set the first label information corresponding to each second sample data packet set as the label information for not detecting APT attack behavior.
21. An electronic device, characterized in that, include: The processor, communication interface, memory, and communication bus are connected, with the processor, communication interface, and memory communicating with each other via the communication bus. The memory stores a computer program that, when executed by the processor, causes the processor to perform the steps of the Advanced Persistent Threat (APT) attack behavior detection method according to any one of claims 1-10.
22. A computer-readable storage medium, characterized in that, It stores a computer program executable by a processor, which, when run on the processor, causes the processor to perform the steps of the advanced persistent threat (APT) attack behavior detection method according to any one of claims 1-10.