Computer Engineering and Applications ›› 2023, Vol. 59 ›› Issue (18): 249-259.DOI: 10.3778/j.issn.1002-8331.2204-0239

• Network, Communication and Security • Previous Articles     Next Articles

APT Attack Detection Method Combining Dynamic Behavior and Static Characteristics

LIANG He, LI Xin, YIN Nannan, LI Chao   

  1. 1.School of Information Network Security, People’s Public Security University of China, Beijing 100038, China
    2.First Research Institute of the Ministry of Public Security of PRC, Beijing 100048, China
  • Online:2023-09-15 Published:2023-09-15



  1. 1.中国人民公安大学 信息网络安全学院,北京 100038
    2.公安部第一研究所,北京 100048

Abstract: Aiming at the problem that the network traffic of APT attack is difficult to obtain and the simulated data is difficult to match with the reality, this paper proposes an APT attack detection method based on the combination of dynamic behavior and static characteristics. Firstly, Noriben sandbox is used to extract the process behavior, file behavior, registry behavior and network behavior of the software to be tested to build a dynamic behavior feature set. The accuracy of identifying APT malware based on Transformer-Encoder algorithm is 95.8%. Then this paper classifies the identified APT malware, extracts the DLL(dynamic link library)and API(application programming interface)called by the software, and combines them into the characteristic form of DLL: API. The accuracy of applying 1D-CNN(one dimensional convolutional neural networks) algorithm to APT malware organization classification has reached 98.7%, which is 5 percentage points higher than the previous method. Finally, compared with the experimental results of popular deep learning algorithms and machine learning algorithms, the data show that the accuracy of this method is greatly improved compared with other methods.

Key words: advanced persistent threat(APT) attack, dynamic behavior, static characteristics, Transformer-Encoder, one dimensional convolutional neural networks(1D-CNN)

摘要: 针对APT攻击网络流量难以获得,模拟的数据与现实又很难匹配的问题,提出了一种基于动态行为和静态特征结合的APT攻击检测方法。采用Noriben沙箱提取待测软件的进程行为、文件行为、注册表行为和网络行为构建动态行为特征集,基于Transformer-Encoder算法识别APT恶意软件的准确率达到了95.8%。对识别出的APT恶意软件进行组织分类,提取软件调用的DLL(dynamic link library)和API(application programming interface),并组合成DLL:API的特征形式,将1D-CNN(one dimensional convolutional neural networks)算法应用于APT恶意软件组织分类的准确率达到了98.7%,比之前的方法提高了5个百分点。与热门的深度学习算法和机器学习算法的实验效果做对比,数据表明,提出的方法相比其他方法,准确率有较大提升。

关键词: 高级持续性威胁(APT)攻击, 动态行为, 静态特征, Transformer-Encoder, 1D-CNN