APT Attack Detection Method Combining Dynamic Behavior and Static Characteristics

doi:10.3778/j.issn.1002-8331.2204-0239

Abstract

Abstract: Aiming at the problem that the network traffic of APT attack is difficult to obtain and the simulated data is difficult to match with the reality, this paper proposes an APT attack detection method based on the combination of dynamic behavior and static characteristics. Firstly, Noriben sandbox is used to extract the process behavior, file behavior, registry behavior and network behavior of the software to be tested to build a dynamic behavior feature set. The accuracy of identifying APT malware based on Transformer-Encoder algorithm is 95.8%. Then this paper classifies the identified APT malware, extracts the DLL（dynamic link library）and API（application programming interface）called by the software, and combines them into the characteristic form of DLL： API. The accuracy of applying 1D-CNN（one dimensional convolutional neural networks） algorithm to APT malware organization classification has reached 98.7%, which is 5 percentage points higher than the previous method. Finally, compared with the experimental results of popular deep learning algorithms and machine learning algorithms, the data show that the accuracy of this method is greatly improved compared with other methods.

Key words: advanced persistent threat（APT） attack, dynamic behavior, static characteristics, Transformer-Encoder, one dimensional convolutional neural networks（1D-CNN）

摘要： 针对APT攻击网络流量难以获得，模拟的数据与现实又很难匹配的问题，提出了一种基于动态行为和静态特征结合的APT攻击检测方法。采用Noriben沙箱提取待测软件的进程行为、文件行为、注册表行为和网络行为构建动态行为特征集，基于Transformer-Encoder算法识别APT恶意软件的准确率达到了95.8%。对识别出的APT恶意软件进行组织分类，提取软件调用的DLL（dynamic link library）和API（application programming interface），并组合成DLL：API的特征形式，将1D-CNN（one dimensional convolutional neural networks）算法应用于APT恶意软件组织分类的准确率达到了98.7%，比之前的方法提高了5个百分点。与热门的深度学习算法和机器学习算法的实验效果做对比，数据表明，提出的方法相比其他方法，准确率有较大提升。

关键词: 高级持续性威胁（APT）攻击, 动态行为, 静态特征, Transformer-Encoder, 1D-CNN

LIANG He, LI Xin, YIN Nannan, LI Chao. APT Attack Detection Method Combining Dynamic Behavior and Static Characteristics[J]. Computer Engineering and Applications, 2023, 59(18): 249-259.

梁鹤, 李鑫, 尹南南, 李超. 结合动态行为和静态特征的APT攻击检测方法[J]. 计算机工程与应用, 2023, 59(18): 249-259.

References

[1] NAVARRO J，DERUYVER A，PARREND P.A systematic survey on multi-step attack detection[J].Computers & Security，2018，76（7）：214-249.
[2] KUSHNER D.The real story of stuxnet[J].IEEE Spectrum，2013，50（3）：48-53.
[3] USSATH M，JAEGER D，CHENG F，et al.Advanced persistent threats：behind the scenes[C]//2016 Annual Conference on Information Science and Systems（CISS），2016.
[4] ALSHAMRANI A，MYNENI S，CHOWDHARY A，et al.A survey on advanced persistent threats：techniques，solutions，challenges，and research opportunities[J].IEEE Communications Surveys & Tutorials，2019，21（2）：1851-1877.
[5] XUAN C D，DAO M H.A novel approach for APT attack detection based on combined deep learning model[J].Neural Computing and Applications，2021，33（20）：13251-13264.
[6] NIU W N，XIAO J A，ZHANG X Y，et al.Malware on Internet of UAVs detection combining string matching and fourier transformation[J].IEEE Internet of Things Journal，2020，8（12）：9905-9919.
[7] YAN G H，LI Q，GUO D，et al.Discovering suspicious APT behaviors by analyzing DNS activities[J].Sensors，2020，20（3）：731.
[8] LUH R，MARSCHALEK S，KAISER M，et al.Semantics-aware detection of targeted attacks： a survey[J].Journal of Computer Virology & Hacking Techniques，2017，13（1）：47-85.
[9] SHANG L，GUO D，JI Y，et al.Discovering unknown advanced persistent threat using shared features mined by neural networks[J].Computer Networks，2021，189（2）：107937.
[10] LIU H，WU T，SHEN J，et al.Advanced persistent threat detection based on generative adversarial networks and long short-term memory[J].Computer Science，2020，47（1）：281-286.
[11] XUAN C D.Detecting APT attacks based on network traffic using machine learning[J].Journal of Web Engineering，2021，20（1）.
[12] LI M，LI Q，XUAN G，et al.Identifying compromised hosts under APT using DNS request sequences[J].Journal of Parallel and Distributed Computing，2021，152（1）.
[13] DAMODARAN A，TROIA F D，VISAGGIO C A，et al.A comparison of static，dynamic，and hybrid analysis for malware detection[J].Journal of Computer Virology & Hacking Techniques，2015，13（1）：1-12.
[14] NG C K，JIANG F，ZHOU W L，et al.Static malware clustering using enhanced deep embedding method[J].Concurrency and Computation：Practice and Experience，2019，31（19）.
[15] LIU J，SHEN Y，YAN H.Functions-based CFG embedding for malware homology analysis[C]//2019 26th International Conference on Telecommunications（ICT），2019.
[16] ZHENG R，WANG Q，FU J，et al.A novel malware classification model based on deep learning[J].Journal of Cyber Security，2019，5（1）：1-9.
[17] 周杨，芦天亮，杜彦辉，等.基于线程融合特征的Windows恶意代码检测与分析[J].计算机工程与应用，2020，56（23）：103-108.
ZHOU Y，LU T L，DU Y H，et al.Detection and analysis of Windows malicious code based on thread fusion feature[J].Computer Engineering and Applications，2020，56（23）：103-108.
[18] DARABIAN H，HOMAYOUNOOT S，DEHGHANTANHA A，et al.Detecting cryptomining malware：a deep learning approach for static and dynamic analysis[J].Journal of Grid Computing，2020，18（4）.
[19] HAN W J，XUE J F，WANG Y，et al.MalInsight：a systematic profiling based malware detection framework[J].Journal of Network and Computer Applications，2019，125：236-250.
[20] LAURENZA G，ANIELLO L，LAZZERETTI R，et al.Malware triage based on static features and public APT reports[C]//International Conference on Cyber Security Cryptography and Machine Learning，2017：288-305.
[21] 沈元，严寒冰，夏春和，等.一种基于深度学习的恶意代码克隆检测技术[J].北京航空航天大学学报，2022，48（2）：282-290.
SHEN Y，YAN H B，XIA C H，et al.Malicious code clone detection technology based on deep learning[J].Journal of Beijing University of Aeronautics and Astronautics，2022，48（2）：282-290.
[22] SEXTON J，STORLIE C，ANDERSON B.Subroutine based detection of APT malware[J].Journal of Computer Virology & Hacking Techniques，2016，12：225-233.
[23] FRIEDBERG I，SKOPIK F，SETTANNI G，et al.Combating advanced persistent threats：from network event correlation to incident detection[J].Computers & Security，2015，48（7）：35-57.
[24] HAN W.APT malinsight：identify and cognize APT malware based on system call information and ontology knowledge framework[J].Information Sciences，2020，546：633-664.
[25] KAO D Y，HSIAO S C，TSO R.Analyzing WannaCry ransomware considering the weapons and exploits[C]//2019 21st International Conference on Advanced Communication Technology（ICACT），2019：1098-1107.
[26] LIANG H，LI C，LI X，et al.APT malware classification method based on feature fusion[C]//2021 International Conference on Computer Information Science and Artificial Intelligence（CISAI），2021：456-462.
[27] KUMAR S，MISHRA D，SHUKLA S K.Android malware family classification：what works-API calls，permissions or API packages?[C]//2021 14th International Conference on Security of Information and Networks（SIN），2021：1-8.
[28] KIM J，LEE S.Malicious behavior detection method using API sequence in binary execution path[J].Tehni?ki Vjesnik，2021，28（3）：810-818.
[29] VASWANI A，SHAZEER N，PARMAR N，et al.Attention is all you need[C]//Proceedings of the 31st International Conference on Neural Information Processing Systems.New York：ACM，2017：5998-6008.