关键词: APT攻击, 网络特征, 降维, [k]-means++, 区分度

Abstract: By studying the defense scheme of APT attacks, this paper proposes an effective network feature filtering algorithm based on [k]-means++ clustering to deal with the problem of high dimensionality of network features which extracted from APT samples. Firstly, this algorithm divides the original feature set into APT traffic feature set and normal traffic feature set by the clustering method. Then, it calculates the degree of variation of clustering performance after removing a certain dimension feature. Finally, the degree of discrimination of the feature vector is evaluated according to the result. Among them, the effective feature vector is whose discrimination degree exceeds the set threshold. The purpose of this paper is to filter out the effective features from the extracted original feature sets. In this way, it can reduce the dimensionality of the features so as to reduce the space-time overhead of subsequent threat intelligence formation and detection. The experimental results show that the proposed algorithm is feasible and has some advantages over other filtering algorithms.

Key words: APT attack, network features, dimension reduction, [k]-means ++, discrimination