Optimization of APT attack detection based on a model combining ATTENTION and deep learning

Abstract

Nowadays, early detecting and warning Advanced Persistent Threat (APT) attacks is a major challenge for intrusion monitoring and prevention systems. Current studies and proposals for APT attack detection often focus on combining machine-learning techniques and APT malware behavior analysis techniques based on network traffic. To improve the efficiency of APT attack detection, this paper proposes a new approach based on a combination of deep learning networks and ATTENTION networks. The proposed process for APT attack detection in this study is as follows: Firstly, all data of network traffic is pre-processed, and analyzed by the CNN-LSTM deep learning network, which is a combination of Convolutional Neural Network (CNN) and Long Short Term Memory (LSTM). Then, instead of being used directly for classification, this data is analyzed and evaluated by the ATTENTION network. Finally, the output data of the ATTENTION network is classified to identify APT attacks. The optimization proposal for detecting APT attacks in this study is a novel proposal. It hasn’t been proposed and applied by any research. Some scenarios for comparing and evaluating the method proposed in this study with other approaches (implemented in section 4.4) show the superior effectiveness of our proposed approach. The results prove that the proposed method not only has scientific significance but also has practical significance because the model combining deep learning with ATTENTION network has helped improve the efficiency of analyzing and detecting APT malware based on network traffic.

Keywords

APT APT attack detection Network traffic Abnormal behavior Deep Learning attention

1 Introduction

1.1 Problem

The APT attack is an advanced, persistent, and targeted attack technique [1 –3]. The superiority of this attack technique is expressed in its characteristics, process, and life cycle [1 –3]. Most of the APT attack campaigns are supported by government organizations with human and material resources. Therefore, most of the key agencies, government organizations of countries in the world are the targets of this attack technique. According to statistics [4], the APT attack is in the top of the most current dangerous cyber-attack techniques in the world. Besides, according to assessments [5, 6], in the future, this attack technique will increasingly develop in both scale and danger level. Therefore, the problem of early detecting and warning this attack campaign is very necessary.

Studies [1 , 7–15] listed several approaches for APT attack detection based on its characteristics, process, and life cycle. Especially, in order to detect signs of APT attack, the approaches often focus on seeking, analyzing, and evaluating signs and behaviors of APT malware based on network datasets using machine learning techniques. According to studies [2, 16], some experimental datasets that could be applied for analysis are Web log, DNS log, and network traffic. In particular, the network traffic dataset is considered to be a good dataset for APT attack detection because this dataset has recorded many signs and behaviors of APT attacks [1, 2].

Studies [9 , 17] pointed out the difference between the APT attack and other cyber-attack techniques. This difference causes many difficulties and challenges for systems to detect and monitor this attack type. Besides, studies [9, 17] presented some difficulties and challenges in detecting APT attacks using machine learning and deep learning such as the lack of public data of APT attacks, the imbalance in monitoring data, the difficulty of identifying behaviors of APT attacks, etc. To resolve these problems, studies [1, 18] proposed some different methods and approaches including Anomaly Detection, Pattern Matching, and Graph Analysis. These approaches and proposals gave good effects. However, because monitoring data is increasingly abundant and diverse, must need some changes in processing and analysis to accommodate the current APT detection task. Two main problems for detecting APT attacks that need to be improved include [18]:

The way of identifying abnormal behaviors: Because APT attacks often use separate technologies and malwares to exploit and attack the target. Therefore, it is difficult to find features and behaviors of the APT attack to classify it with other attacks or with normal access. The previous approaches [19 –24] often try to find ways to extract behaviors of APT based on DNS logs, network traffic. However, since the APT attack is designed for each specific purpose and target, using behaviors of a specific attack campaign as a basis for detecting other attack campaigns is ineffective. In addition, in order to extract features of APT attacks, it often requires a very large dataset collected over a long period of time so it is very difficult to extract these features.

Detection method: To detect and classify APT attacks, research directions often apply 2 main techniques: machine learning and deep learning [1 , 25]. Machine learning algorithms have the advantage of requiring less processing time and accuracy. However, these algorithms often have difficulty when monitoring large datasets. Therefore, using deep learning algorithms is a possible approach for this problem. However, we noticed that although the deep learning algorithms have yielded good results, they still have some disadvantages that need to be resolved such as the ability to remember time series, the focus on important information, etc [25 –29]. This causes the low efficiency of some detection methods.

To fix the above 2 problems, this paper proposes a method of combining the CNN-LSTM deep learning network with the ATTENTION network (CNN-LSTM-ATTENTION) to analyze and detect behaviors of APT attacks based on network traffic. In particular, the proposed approach will find ways to solve problems that we think need to be optimized as follows:

Regarding the problem of “Identifying abnormal behavior": In this paper, in the process of selecting and extracting features of APT attacks in network traffic, instead of trying to look for abnormal behaviors and features of APT attacks, this study proposes to use the statistical features of the flow, and then use the CNN-LSTM-ATTENTION model to calculate, process, and synthesize it into IP features. With this approach, this study could not only solve the difficulty of defining abnormal behaviors but also fix the problem of extracting features of ATP attacks.

Regarding the problem “Detection method": We noticed that although the CNN-LSTM deep learning model has partly solved the ability to remember time series, it often encounters the problem of losing important information. The reason is that when processing a long time series, due to the characteristics of the deep learning model, the back information has priority over the front information, but in reality important information may appear anywhere in the time series. Therefore, using the CNN-LSTM-ATTENTION model could improve this problem by calculating the mean of hidden states of all time steps (Attention 2) or calculating the mean of hidden states combining multiple inputs (Attention 1). With this approach, this study will find and synthesize a lot of important information of IPs in network traffic, thereby not only improving the efficiency of the APT attack detection process but also reducing false detection.

1.2 Contributions

In order to optimize the detection of APT attacks in the system, in this study, we have proposed some new scientific features as follows:

Proposing the CNN-LSTM-ATTENTION model for the task of synthesizing, analyzing, evaluating, and detecting APT IPs. This proposed model has many practical meanings because the process of normalizing, processing, extracting features, and classifying is carried out through many different networks and layers. The output of the preceding network is the input of the next network. It forms a continuous and synchronous computational system. This requires a complex process of pre-processing data, installing, and computing. The CNN-LSTM-ATTENTION model is a new model that has not been proposed by any research. Therefore, successfully proposing this model for the task of optimizing APT attack detection has many scientific meanings.

Proposing architecture of the ATTENTION 1 network and the ATTENTION 2 network for the task of finding and synthesizing important information of IP, thereby improving the efficiency of classifying APT IPs as well as normal IPs. In this paper, we have proposed the architecture of two ATTENTION models. In which, ATTENTION 1 network has the ability to highlight important information of IP based on the process of calculating the mean of hidden states combining multiple inputs. The ATTENTION 2 network highlights important information by calculating the mean of hidden states of all time steps. From the 2 architectures of the ATTENTION network proposed in the paper, we have provided several ATTENTION networks to choose for the task of optimizing both APT attack detection and network anomaly detection.

2 Related work

Chu et al. [28] conducted an experiment to detect APT attacks based on the NSL-KDD dataset using Multilayer Perceptron (MLP) and Support Vector Machine (SVM) algorithms. During the experiment, the authors changed some parameters in the kernel of the two algorithms. The MLP model yielded better APT attack detection results in some specific cases. Similar to Chu’s approach [28], Nkiruka Eke [30] used the KDD 99 dataset for APT attack detection based on deep learning algorithms such as LSTM, Recurrent Neural Networks (RNN), Gated Recurrent Unit (GRU). In the study, Joloudari [31] proposed to use the C5.0 Decision Tree, Bayesian network, and deep learning algorithms for detecting APT attacks based on the NSL-KDD dataset. The experimental results showed that the 6-layers deep learning algorithm gave better results than the C5.0 Decision Tree and Bayesian network algorithms. The accuracy of these three methods was 98.85%, 95.64%, 88.37%, respectively. In addition, the 6-layers deep learning algorithm proposed by the author was also highly effective (the error is only 1.13%). Likewise, Cosimo [32] proposed the Autoencoder network for detecting cyber-attack based on the NSL-KDD dataset. In the experimental section, the Autoencoder network showed superiority compared to other models and algorithms in the APT attack detection task. However, we found that the NSL-KDD and KDD 99 datasets were standardized and balanced in the amount of clean data and attack data. If the authors have used the Random Forest algorithm, the result would have been higher than the authors’ proposed deep learning algorithms. Besides, Branka’s research [2] demonstrated that using the KDD 99 dataset for the APT attack detection task has no longer been appropriate for actual demands. In addition, in the study Sai Charan et al. [33], also proposed to use the LSTM network model for detecting APT attacks in banking systems based on Security Information and Event Management systems. In particular, the team [33] used the big data technology platform to implement the idea of using the LSTM model for APT attack detection based on each its development stage. The experimental section evaluated the effectiveness of the LSTM model for APT attack detection by calculating the time for processing and detecting attacks based on the experimental dataset division process.

On the other hand, Yan [19] proposed the idea of detecting APT Domains based on the CNN deep learning model. Specifically, the author proposed 3 abnormal behavior groups of APT Domains based on DNS requests: Domain Name-based Features; Feature of the Relationship between DNS Request Behavior and Response Behavior; Feature of the Relationship between DNS Request Behavior and Response Behavior from a dataset consisting of 4,907,147,146 pieces of initial data of 47 days DNS request records of Jilin University Education Network. Experimental results showed that this model had a relatively high efficiency when it gave results in the range of 96%to 97%. With the same approach, Zongyuan [21] proposed a method to detect C&C APT domains based on DNS logs at mobile devices and PCs based on 9 abnormal behaviors and using different machine learning and deep learning algorithms.

In addition, Hofer-Schmitz et al. [34] presented the optimal method for APT IP detection based on the CICIDS2017 dataset. Specifically, in their research, the authors used the PCA algorithm to reduce the flow feature dimension from 76 to 66 and then divided the dataset into 3 groups for processing and analyzing each data group.

In the study Bodström et al. [27], proposed a deep learning model combining many different models and algorithms. Each layer has the function of aggregating and analyzing features. The output of this layer serves as an input to the following layers. With this combination, according to the team’s analysis, it could take advantage of deep learning algorithms in the task of analyzing and aggregating features.

Cho et al. [16] proposed an APT attack detection method using combined deep learning. Accordingly, in their research, the authors proposed a deep learning model based on the combination of the Bidirectional Long Short-Term Memory (BiLSTM) and Graph Convolutional Networks (GCN) (BiLSTM-GCN) models and applied some basic deep learning models such as MLP, GCN to monitor and detect APT attacks based on network traffic. Experimental results showed that the BiLSTM-GCN model gave the highest efficiency on all measures compared to other deep learning models.

Along with the idea of Cho [17], studies [25, 35] proposed the idea of applying the CNN-LSTM combined deep learning model for the feature extraction task to detect network anomaly based on the CICIDS2017 dataset. During the experiment, Pengfei [35] compared his proposed method with some other methods and found that CNN-LSTM deep learning model gave the best results on all measurements.

3 The proposed model

3.1 The model architecture

Figure 1 shows the multi-layer model for APT attack detection based on Network Traffic.

Fig. 1

The APT attack detection model using the CNN-LSTM-ATTENTION model.

Figure 1 illustrates an APT detection method based on the flow network using the CNN-LSTM-ATTENTION model. Specifically, the proposed model includes the following components:

Network traffic: The data on Network traffic used in this paper includes the normal network traffic data collected at the e-government server in the topic KC.01.05/16-20 of the Ministry of Science and Technology of Vietnam [36]. Network traffic data of APT attacks is selected and collected from APT attack campaigns around the world.

Feature Extraction phase: this process includes the following steps:

Feature extraction flow: At this stage, the entire network traffic is analyzed into the network flows by CICFlowMeter [37] tool. These flows are then grouped by pair of source IP (SrcIP) and destination IP (DstIP) addresses. For the flow feature extraction phase, the flows clustered in pairs of SrcIP and DstIP are analyzed and extracted into different features. These features represent the difference between flows in each SrcIP and DstIP pair.

Representing IP information: Represents SrcIP information by a single vector from the network flow grouped in the Feature extraction flow process.

IP feature extraction: In this step, the vectors synthesized in the step “Representing IP information” are put into the CNN-LSTM-ATTENTION model to extract the IP features. Here, 2 different ATTENTION networks are proposed to optimize this process.

Training phase: The process of classifying the IPs uses features that are extracted at the previous stage and are represented in the vector form. Models of this paper use a Softmax Regression network to calculate the probability of falling in a specific class of the input IP and then compare it with the real label to optimize the network parameters using the Adam optimizer.

Testing phase: This is the process of using the complete CNN-LSTM-ATTENTION model obtained in the training phase to predict whether an IP is normal or APT with the input and output described above.

3.2 Proposing to link the combined deep learning model with attention networks

The ATTENTION network is one of the most interesting models in the deep learning field. In the study Shi Feng et al. [39], first proposed to use the ATTENTION network for the machine translation problem. Jiachen [40] proposed to apply Attention to the task of text classification. We noticed that in studies [39 –41], ATTENTION models were proposed as a computational block in some models such as CNN, RNN, LSTM. This paper proposes to use ATTENTION models for the task of extracting features and classifying APT attacks. The proposed ATTENTION models operate independently and do not participate in the calculation and synthesis process of the CNN-LSTM model. With such an approach, we think that the ATTENTION model will synthesize more important and meaningful features. The next sections of the paper will present the architecture and process of the CNN-LSTM-ATTENTION models in detail.

3.2.1 Proposing the CNN-LSTM-ATTENTION 1 model

Proposing architecture of the CNN-LSTM-ATTENTION 1 model

Figure 2 shows the architecture of the proposed CNN-LSTM- ATTENTION 1 model for the APT attack detection. From Fig. 2, seeing that our model is a combination of 3 main components including the CNN deep learning network, the LSTM deep learning network, and the ATTENTION network. This paper has found a way to combine and standardize these networks together to form a unified model for the task of extracting features and classifying IP based on network traffic. Details of the main components in the CNN-LSTM-ATTENTION 1 model are as follows:

Fig. 2

The architecture of the CNN- LSTM-ATTENTION 1 linking model.

Part 1: CNN Network: As is known, CNN includes a set of basic layers including convolution layer, nonlinear layer, and fully connected layer. These classes are linked together in a certain order which depends on the designed architecture and the intended use of the model. The detailed structure of CNN as well as the terms (stride, padding, MaxPooling) are presented in detail in papers [42, 43]. This paper proposes to apply the CNN model to extract features of multiple flows and combine them, instead of using only individual flow objects for study. In which we use the ReLU activation function (4). $f (x) = \max (0, x)$ (1)

Part 2: LSTM network: Regarding LSTM deep learning network, in research [42], Sepp Hochreiter and Jurgen Schmidhuber introduced in detail the idea, architecture, and mathematical basis of the LSTM network. The LSTM is designed to avoid the problem of long-term dependency. By relying on gates such as forget gate, input gate, LSTM could remember and extract information for even long-duration data. The key of LSTM is the cell state, which is a conveyor-like form that runs through all the network nodes and only has a slight linear interaction. Therefore, the information could be easily passed without fear of change. Figure 3 describes in detail the structure of a basic memory cell in an LSTM network with four gates with different duties.

Fig. 3

The architecture of the CNN- LSTM-ATTENTION 1 linking model.

The study [44] presented and defined the parameters and operation process of the LSTM network in detail. This paper uses this model to find ways to aggregate and extract IP features based on the flow network.

Part 3: The ATTENTION 1 network: From Fig. 2, seeing that the architecture of the ATTENTION 1 network that we use includes the following processing blocks:

Blocks Q, V, K are the weight matrices combined from the output matrix and the coefficient matrix for linear transformations, respectively. The processing inside blocks Q, V, K is presented by the formula (2).

$Q = W_{f} H, V = W_{h} H, K = W_{g} H$ (2)

Where: W_f, W_h, W_g are the coefficient matrices for linear transformations; H is the output matrix of the CNN-LSTM model. The matrix H is defined as follows (3): $H = (\begin{matrix} h_{1, 1} & \dots & h_{1, n} \\ ⋮ & ⋱ & ⋮ \\ h_{m, 1} & \dots & h_{m, n} \end{matrix})$ (3)

Where: m is the size of the feature extracted from the CNN model, n is the size of the LSTM network.

Score block is used to recalculate the weight of the entire matrix in blocks Q, K. The calculation process is performed according to formula (4).

$C = softmax (\frac{{QK}^{T}}{\sqrt{d}})$ (4)

In which, the formula of the softmax function is defined and described in detail in the study [46], in which d is the selected constant to divide the data that is presented in the study [47]. The softmax function is calculated with n corresponding to the size of the LSTM network.

Aggregation block: The Aggregation block has the function of calculating the sum of the weights of the matrices. The weighted synthesis method of the matrix is described by the formula (5).

$M = C * V$ (5)

Where: matrix C is the weight matrix synthesized according to formula (4). The result of this block is a matrix M representing fully the features and characteristics of the input data and the weights. Next, the matrix M is put into the classification model to conclude about the APT attack.

Part 4: Classification Block: A classification block is used to classify frames and IPs. For the process of classifying frames, Softmax Regression is only responsible for calculating the probability of falling into the classes of the input frame, but not making sense in the feature extraction process. The frame is assigned to the class that it has the highest probability of falling in. General formula of Softmax Regression function is detailed in the document [45]. The IP classification process relies on the results of the frame classification. Accordingly, for each IP, we evaluate how many APT frames and normal frames that the IP sent, then use the frame type that appears most often to decide the label of the IP. The IP classification algorithm is described as in Algorithm 1 in section b (APT attack detection process using the CNN-LSTM-ATTENTION 1 model).

b) APT attack detection process using the CNN-LSTM-ATTENTION 1 model

Algorithm 1. IP classification
Input: The set of classified frames F and the set of IP I
Output: The class set consists of classes of IPs
for each frame(f) in F do:
if frame(f) là APT:
APT[SrcIP] + = f
else:
Normal[SrcIP] + = f
end
for each IP(i) in I do:
if APT[SrcIP] > Normal[SrcIP]:
class[i] = APT
else:
class[i] = Normal
end
end

From Fig. 2, seeing that the CNN-LSTM-ATTENTION 1 model is divided into 3 main stages:

Stage 1: Aggregating and extracting IP features based on flow using CNN-LSTM. Specifically, the two main steps in phase 1 are as follows:

Step 1: Build a frame based on network flow: Firstly, the flows of the same IP are grouped into a group, then they are divided into several small groups with the same size of 50 flows (called frames).

Step 2: Extracting the IP feature based on frame: In this step, the flow groups are processed by the CNN and LSTM layers in turn to extract abnormal behaviors of the IPs. The result of step 2 is the feature vectors of the frames.

Stage 2: Highlighting important features and values of frames using the ATTENTION 1 network. At this stage, a feature vector of a frame is put into the ATTENTION 1 network to search and highlight the important features, instead of averaging like other classification methods. Specifically, the processing process of the ATTENTION 1 network is described in detail in step 3 below.

Step 3: Feature evaluation: The task of this step is to highlight important IP features by using the ATTENTION 1 network with the block-processing techniques discussed in the section 3.2.1. Accordingly, after the frame networks are processed and calculated through the CNN-LSTM model, we keep all the hidden states of the network by flexibly combining processing blocks including Q, K, V, score, aggregation blocks. Thus, the ATTENTION 1 network helps to generate an output vector in which IP features are synthesized and highlighted through processing and evaluating frame networks. At this point, we noticed that there is a huge difference between the output of the CNN-LSTM model and the output of the ATTENTION 1. In particular, the output of CNN-LSTM is a vector in which the features near the end are extracted and stored more than the previous features (due to the influence of the LSTM network). The output of the network ATTENTION 1 is a vector containing features collected based on the entire input data, in which the important features can appear in any position.

Stage 3: Detecting APT attack. This is the final stage of the CNN-LSTM-ATTENTION model 1. To detect APT IPs, this phase performs 2 steps as follows:

Step 4: Frame classification: After the frames are processed through the CNN-LSTM network and are aggregated through the ATTENTION 1 network, they are further processed and classified through a Softmax Classifier to determine normal frames and APT frames.

Step 5: IP classification: Thus, after being classified by the CNN-LSTM-ATTENTION model, these frames are used as input data for IP classification. The IP classification process is described in the algorithm below.

3.2.2 The CNN-LSTM-ATTENTION 2 model

Proposing architecture of the CNN-LSTM-ATTENTION 2 model

From Fig. 4, seeing that the architecture of the CNN-LSTM-ATTENTION 2 model has 4 main blocks: the CNN network, the LSTM network, the ATTENTION 2 network, and the classification block. Processing the CNN and LSTM deep learning networks, and the classification block in this model is similar to in the CNN-LSTM-ATTENTION 1 model. The only difference is in the processing blocks inside the ATTENTION 2 network. Accordingly, the processing components in the network ATTENTION 2 are as follows:

Fig. 4

The architecture of the CNN- LSTM-ATTENTION 2 model.

Score block: The purpose of the score block is the same as in the ATTENTION 1 network. However, for the ATTENTION 2 network, there is a difference in the computation and processing. Accordingly, the calculation formula of the score block is presented as formula (6):

$S = Y * \tanh (W * H^{T})$ (6)

In the above formula, W is a 2-dimensional initial weight matrix with size dxn (d is arbitrarily set, n is the size of the LSTM network); Y is a weight vector with size d, H is the matrix defined in formula (3).

Softmax function: From formula (6), seeing that the vector S only extracts a specific component of the input data. Therefore, S could not fully represent the important features of the data. To solve this problem, we propose to aggregate all S vectors in the Score block by the Softmax block. The calculation formula of the Softmax block is defined as follows (7):

$C = softmax (X * tanh (W * H^{T}))$ (7)

Where: X is a 2D matrix with size mxd; m is the size of the CNN model.

Feature aggregation block: The aggregation function has the function of summing the weights of the matrices, in which matrix C is the weight matrix synthesized at the softmax block; matrix H is the input matrix defined by formula (3). The formula for calculating and aggregating weights of the matrix is described by formula (8).

$M = C * H$ (8)

From formula 8, it can be seen that the result of the feature aggregation block is a matrix that fully represents features of the entire input representation. Next, this block is put into the classification model to determine signs of APT attacks. The processing of the classification block is presented in detail in the ATTENTION 1 model.

b) APT attack detection process using the CNN-LSTM-ATTENTION 2 model

The processing and calculation process to detect APT using CNN-LSTM-ATTENTION 2 model is similar to the process using CNN-LSTM-ATTENTION 1 model. There is only one difference in the processing of the ATTENTION 2 network. Accordingly, instead of using the ATTENTION 1 network to synthesize and highlight important information, the ATTENTION 2 network is used to minimize the loss of important and significant information by calculating the mean of weights of all features after these features have been processed by the CNN-LSTM model. With this approach, features are averaged and aggregated into vectors that contain all the important information and components of IPs in frames. Then, the output vectors of the ATTENTION 2 network are put into the Softmax Classifier to classify APT and normal frames. Finally, the frames containing APT or normal flows are used to classify normal IPs and APT IPs. This whole process is presented in step 4 and step 5 in section 3.2.1 of the paper.

4 Experiment and evaluation

4.1 Experimental dataset

The positive experimental data (attack data) was collected from 29 Network Traffic files in the Malware Capture CTU-13 data set which contains 6 types of malwares from the APT attacks, including Andromeda, Colbalt, Cridex, Dridex, Emotet, and Gh0stRAT [47].

The negative experimental data (normal data) was collected from E-Government server of Soc Trang province [48] according to the scientific research project N° KC.01.05/16-20 of the Ministry of Science and Technology of Vietnam. This dataset was collected on July 30, 2019.

The Table 1 shows the statistic of experiment data which we collected and used in this paper.

Table 1
Components of experimental dataset

N° Type Total Malicious Normal

1 Flows 3.068.915 871.914 (28.5%) 2.197.001 (71.5%)

2 IP 1690 118 (7%) 1572 (93%)

N°	Type	Total	Malicious	Normal
1	Flows	3.068.915	871.914 (28.5%)	2.197.001 (71.5%)
2	IP	1690	118 (7%)	1572 (93%)

4.2 Experimental scenarios

For the dataset: The dataset is divided into 2 parts for the training and testing process. The training dataset accounts for 80%and the testing dataset accounts for 20%.

With the evaluation scenario, we conduct evaluating the model with the following 3 scenarios:

Scenario 1. Without using the ATTENTION network. With this scenario, we want to clarify the role of the ATTENTION network in the task of aggregating and highlighting important features and behaviors of IP based on the flow network. This scenario answers the questions, “Why is the ATTENTION network used after deep learning models? Why not use other networks?” Thus, with this scenario, this study conducts experiments to detect APT attacks using deep learning models without using the ATTENTION network. This approach has been proposed in some other studies such as CNN-LSTM [25, 35], LSTM [33].

Scenario 2. Comparing and evaluating the model with other deep learning networks. The purpose of scenario 2 is to answer the question, “How is the CNN-LSTM-ATTENTION model more effective than other classification models?” To answer this question, this study conducts experiments with some other deep learning models: Autoencoder proposed in [32] and MLP proposed in [28].

Scenario 3. Using the CNN-LSTM-ATTENTION model for the APT attack detection task. In this scenario, this study compares and evaluates the two proposed ATTENTION models. This scenario answers the question, “Which ATTENTION model is more effective for the task of synthesizing and highlighting important information?"

4.3 Installation requirements and classification measures

4.3.1 Installation requirements

Software requirements: Python version 3.6, Tensorflow 2.0, Ubuntu 18.04. Hardware requirements: RAM 32 GB; CPU Intel Core i5-7500 CPU @3; 4 GHz; GPU Tesla K80.

4.3.2 Classification measures

The following measures will be used in this paper to evaluate the accuracy of models: $accuracy = \frac{TP + TN}{TP + TN + FP + FN} \times 100$ (9) $precision = \frac{TP}{TP + FP} \times 100$ (10) $Re call = \frac{TP}{TP + FN} \times 100$ (11) $F 1 = \frac{2 \times precision \times Re call}{precision + Re call}$ (12)

In which:

TP - True positive: The number of malicious samples classified correctly.

FN - False negative: The number of malicious samples classified as normal.

TN - True negative: The number of normal samples classified correctly.

FP - False positive: The number of normal samples classified as malicious.

4.4 Results and discussion

4.4.1 Experimental results of scenario 1

a) Experimental results of detecting APT attacks using LSTM model

Table 2 below shows the experimental results when we apply LSTM algorithm [33] for APT attack detection.

Table 2
Results of detecting APT attacks using LSTM algorithm [33]

N. of LSTM Evaluation of frame Evaluation of IP

Acc Pre Rec F1 Acc Pre Rec F1

2 0.857 0.957 0.475 0.635 0.966 0.714 0.428 0.535

3 0.874 0.941 0.557 0.620 0.973 0.9375 0.4285 0.588

4 0.858 0.9761 0.475 0.635 0.970 0.833 0.4285 0.566

N. of LSTM	Evaluation of frame	Evaluation of IP
2	0.857	0.957	0.475	0.635	0.966	0.714	0.428	0.535
3	0.874	0.941	0.557	0.620	0.973	0.9375	0.4285	0.588
4	0.858	0.9761	0.475	0.635	0.970	0.833	0.4285	0.566

With the results in Table 2, seeing that the accuracy of the flow and IP classification task has changed continuously and irregularly on most metrics when increasing the LSTM model complexity. For frame classification results, with the overall Accuracy score from 85.7%to 87.4%, it can be seen that the LSTM model seems to be effective in the flow classification process. However, with an imbalanced dataset, the Accuracy score could be highly pushed up if the model predicts all IPs belong to Normal class (because the number of Normal IPs accounts for a large rate in total IPs). Thus, this study evaluates experiment results of models with a more stable measure - F1 score. With F1 score, the LSTM network gave flow classification results ranging from 47%to 56%. These are relatively low results and do not bring much meaning in the application process in reality (this result is unacceptable because it has no practical significance). Because the flow classification result was not high, this has a great influence on the IP classification process. The LSTM model was not actually effective in the task of detecting APT attacks since its best result was only 58.8%. This is an easily predictable result because the model did not work well in the flow classification, so the result of the IP classification was quite low.

b) Experimental results of detecting APT attacks using the CNN-LSTM combined deep learning network

Table 3 below shows the experimental results when we apply CNN-LSTM [25, 35] model for APT attack detection.

Table 3

Experimental results of detecting APT attacks using the CNN-LSTM combined deep learning model [25, 35]

N. of CNN	N. of LSTM	Evaluation of frame				Evaluation of IP
		Acc	Pre	Rec	F1	Acc	Pre	Rec	F1
3	3	0.86	0.99	0.49	0.66	0.975	0.94	0.45	0.61
4	4	0.871	0.985	0.515	0.67	0.976	0.974	0.514	0.66
4	2	0.873	0.995	0.517	0.681	0.978	0.95	0.54	0.69

After experimenting with various different models combining CNN with LSTM with fine-tuning parameters, Table 3 is a summary evaluation of the models giving the best results with the test dataset. From Table 3, the experimental results between models with the different number of parameters have clear differences. Besides, the data in Table 3 also shows clearly if the frame classification results are good, it will give good IP classification results. However, many CNN networks combined with many LSTM networks did not always give the best results. The reasons are that structures of the networks are different and the parameters are randomly initialized leading to different learning styles of each model, and the learned patterns also are different leading to differences in the classification of results. In Table 3, model [4 CNN - 2 LSTM] gave the best results for the classification process of both APT frame and IP with a significant increase of F1-score (about 12%compared to model LSTM). From this experimental result, seeing that the combined deep learning model is a suitable approach for anomaly-based attack detection problems without too large imbalances in the dataset. Figure 5 below shows the confusion matrix results of the models for APT attack detection in scenario 1.

Fig. 5

The confusion matrix results of models in scenario 1. In which (a), (b) respectively represent the results of LSTM, CNN-LSTM models.

The results in Fig. 5 shows that the CNN-LSTM model had better performance than the LSTM model on both APT IPs and normal IPs detection. Regarding accurately detecting APT IPs, the LSTM model only correctly detected 15 IPs out of 35 IPs. This result is 4 IPs worse than that of the CNN-LSTM model. Regarding detecting normal IPs, the LSTM model incorrectly detected 3 IPs out of 743 IPs. This result is 2 IPs higher than the CNN-LSTM model.

4.4.2 Experimental results of scenario 2

Experimental results of detecting APT attacks using MLP model

Table 4 below shows the experimental results of detecting APT attack using MLP model [28].

Table 4
Experimental results of detecting APT attacks using MLP model [28]

N. of MLP Evaluation of frame Evaluation of IP

Acc Pre Rec F1 Acc Pre Rec F1

128 0.836 0.855 0.4475 0.5876 0.935 0.307 0.342 0.324

128-256-128 0.844 0.87 0.4745 0.614 0.94 0.342 0.342 0.342

128-256-512-256 0.876 0.908 0.568 0.71 0.95 0.448 0.37 0.406

N. of MLP	Evaluation of frame	Evaluation of IP
128	0.836	0.855	0.4475	0.5876	0.935	0.307	0.342	0.324
128-256-128	0.844	0.87	0.4745	0.614	0.94	0.342	0.342	0.342
128-256-512-256	0.876	0.908	0.568	0.71	0.95	0.448	0.37	0.406

From the experimental results presented in Table 4, seeing that the more complex the network architecture is, the higher the number of hidden layers and the corresponding number of nodes is, the better the ability of the model to learn is and the more accurate the test results are. In particular, the results of flow classification had a significant difference between MLP models. With the most simple model, accuracy was 83.6%. In the model with the highest complexity, the accuracy of flow classification was a relatively good result (87.6%). However, for IP classification, the MLP model was not effective. Specifically, the accuracy of normal IP classification and APT IP classification were both less than 40%. The reason is that the dataset has a huge discrepancy between the number of APT IPs and normal IPs. Therefore, in reality, the MLP model couldn’t be used for classification problems when there is a large imbalance in dataset. Based on the results shown in Tables 2 , and 4, seeing that the CNN-LSTM combined deep learning model brought better results than individual deep learning models such as MLP [28], LSTM [33]. The reason for this problem is that the combined deep learning model using CNN network to extract and combine features from neighboring flows (which LSTM can not do) and using LSTM network to extract timed and sequential features (which CNN can not do) to combine into high-level features. These two deep learning networks solve each other’s shortcomings while reinforcing the strengths of each network, making the learning ability of the model significantly improved.

b) Experimental results of APT attack detection using Autoencoder model

The experimental results of APT attack detection using model Autoencoder [32] are presented in Table 5.

Table 5

Experimental results of APT attack detection using Autoencoder model [32]

N. of Hidden-layer	Evaluation of frame				Evaluation of IP
	Acc	Pre	Rec	F1	Acc	Pre	Rec	F1
128-64-32	0.876	0.955	0.551	0.699	0.969	0.739	0.485	0.586
75-50	0.914	0.964	0.697	0.81	0.97	0.71	0.571	0.635
128-256-128	0.919	0.965	0.715	0.82	0.973	0.77	0.57	0.65

The experimental results presented in Table 5 show that the Autoencoder model gave relatively high results for the process of classifying and detecting APT frames as well as APT IPs. The experimental results based on the process of changing the parameters of the Autoencoder model, we found that the Autoencoder model gave the best APT IP classification results on all measures with the model [128-256-128]. Comparing the results of Tables 3 5, seeing that the CNN-LSTM model gave higher results of classifying normal frames and IPs than the Autoencoder model (about 3%for frame classification and 20%for IP classification). However, with the classification process for APT frames and APT IPs, the Autoencoder model gave higher results than the CNN-LSTM model [25, 35] (about 19%for frame classification and 3%for IP classification). The reason is that the Autoencoder model [32] uses encoder and decoder components to compress the features and then recreate them as they were. Besides, the Autoencoder model has a relatively good ability to remember important features, so it filtered out and learned important features in the data, thereby helping the model improve the APT IP classification results. From the experimental results, we found that the Autoencoder model is more suitable for the APT IP classification problem, while the CNN-LSTM model is more efficient for accurately predicting normal flows.

Figure 6 below depicts the confusion matrix results of attack detection models in scenario 2.

Fig. 6

The confusion matrix results of models in scenario 2. In which (a), (b) respectively represent the results of MLP, Autoencoder.

From Fig. 6, seeing that there are different efficiency in the process of predicting the APT IPs and the normal IPs of the experimental models. Comparing Figs. 5 6, it can be seen that the CNN-LSTM model and the Autoencoder model yielded higher results than other models. Specifically, the CNN-LSTM model had the superiority in accurately predicting normal IPs because this model only incorrectly predicted 1 IP out of 743 IPs. However, for the task of detecting APT IPs, this model was not actually effective because it detected only 19 APT IPs out of 35 IPs. For the Autoencoder model, it had the opposite trend when it gave a higher APT IP correct prediction rate (correctly detected 20 APT IPs - increased 1 IP compared to the CNN-LSTM model) and a lower normal IP correct prediction rate (wrong detected 6 normal IPs - increased 5 IPs compared to the CNN-LSTM model).

4.4.3 Experimental results of scenario 3

a) Experimental results of detecting APT attack using the CNN-LSTM-ATTENTION 1 model

Based on the CNN-LSTM-ATTENTION 1 model proposed in Section 3.2.2, this study applies the model to the APT attack detection task. To see the effectiveness of the CNN-LSTM-ATTENTION 1 model, this study tries to experiment this model with many different parameters. Table 6 below shows experimental results when using the CNN-LSTM-ATTENTION 1 model.

Table 6
Experimental results of detecting APT attacks using CNN-LSTM-ATTENTION 1 model

N. of CNN N. of LSTM N. of Attention Evaluation of frame Evaluation of IP

Acc Pre Rec F1 Acc Pre Rec F1

3 1 1 0.927 0.986 0.73 0.84 0.979 0.913 0.6 0.724

4 1 1 0.922 0.98 0.718 0.83 0.981 0.954 0.6 0.736

3 2 1 0.917 0.992 0.685 0.811 0.979 0.952 0.571 0.714

N. of CNN	N. of LSTM	N. of Attention	Evaluation of frame	Evaluation of IP
3	1	1	0.927	0.986	0.73	0.84	0.979	0.913	0.6	0.724
4	1	1	0.922	0.98	0.718	0.83	0.981	0.954	0.6	0.736
3	2	1	0.917	0.992	0.685	0.811	0.979	0.952	0.571	0.714

The experimental results in Table 6 show that CNN-LSTM-ATTENTION 1 model gave very good results, the accuracy ranged from 91.7%to 92.7%with frame classification and from 97.9%to 98.1%with IP classification. In particular, with the CNN-LSTM-ATTENTION combined model, the normal frame classification results were up to 99.2%accurate and the APT frame classification results reached 73%. Regarding the IP classification, classification results were 95.4%for normal IPs and 60%for APT IPs. From Table 6, seeing that CNN-LSTM-ATTENTION 1 model gave the best frame classification results with model [3-1-1] and the best IP classification with model [4-1-1]. There are two reasons for this problem. The first reason is the imbalance between the number of normal IPs and APT IPs. Secondly, due to the characteristics of APT attacks, many IPs are connected to each other only through one flow, leading to misclassification. However, with the results shown in Table 6, the CNN-LSTM-ATTENTION 1 model has not only shown its superiority compared to individual or combined deep learning models, or autoencoder models, but also improved the accuracy of the IP classification. Specifically, with the CNN-LSTM-ATTENTION 1 model, the APT IP classification accuracy increased by about 23%compared to the MLP network, 17%compared to the LSTM model, 6%compared to the CNN-LSTM model, and 3%compared to the Autoencoder model. In addition, comparing the results of Table 6 with Table 3, it is found that, although CNN-LSTM has somewhat improved the ability to remember results while processing long-term data, the CNN-LSTM model did not yield as good classification results as the CNN-LSTM-ATTENTION 1 model when dealing with the unbalanced dataset. This result has proved that ATTENTION 1 networks with a flexible combination of blocks (as shown in Fig. 4) provided the best ability to exploit and highlight important features in the data instead using of individual blocks for the computation. On the other hand, although the CNN-LSTM-ATTENTION 1 model gave APT IP classification results between 57%and 60%, overall, this result is very good because the experimental dataset has a difference deviation up to 14 times between the number of normal IPs and APT IPs. Thus, directing the model’s attention to important features in all flows and combining them together by using the attention mechanism has yielded positive results, not only for the task of APT frame detection based on flow networks but also for improving the efficiency of correctly classifying APT IPs.

b) Experimental results of detecting APT attack using the CNN-LSTM-ATTENTION 2 model

The experimental results in Table 7 show that model CNN-LSTM-ATTENTION 2 gave the frame classification accuracy from 89.1%to 92.7%and the IP classification accuracy from 97.7%to 97.9%. In addition, according to the results of frame prediction, the system correctly predicted normal frames ranging from 98.6%to 99.4%and APT frames between 59.1%and 72.5%. Similarly, for the IP classification results, we found that the CNN-LSTM-ATTENTION 2 model was highly effective when it correctly predicted the APT IPs from 54.2%to 57.1%and the normal IPs from 86.7%to 95.2%. In addition, like the CNN-LSTM-ATTENTION 1 model, the CNN-LSTM-ATTENTION 2 model gave different results of detecting APT frames and APT IPs when changing parameters in the model architecture. In particular, with the architecture [4-1-1], the CNN-LSTM-ATTENTION 2 model gave the best frame classification results on all measures, but the APT IP classification results were the best with the architecture [3 -2-1]. Clearly, with the addition of the ATTENTION 2 network to the CNN-LSTM combined deep learning network model, the accuracy of the whole classification process has been significantly improved. This demonstrates our approach and proposal for using the ATTENTION 2 network to sum the weights of all time steps to recover and aggregate important features that could be lost in the training phase is reasonable and meaningful. However, the results shown in Table 7 are much higher than the CNN-LSTM model and other deep learning models, but lower than the classification results in the CNN-LSTM-ATTENTION 1 model shown in Table 6. Accordingly, comparing the results of detecting APT frames and IPs, results of the ATTENTION 1 model are higher than that of the ATTENTION 2 model (about 0.5%with APT frame detection and 3%with APT IP detection).

Table 7

Experimental results of detecting APT attacks using CNN-LSTM-ATTENTION 2 model

N. of CNN	N. of LSTM	N. of Attention	Evaluation of frame				Evaluation of IP
			Acc	Pre	Rec	F1	Acc	Pre	Rec	F1
3	3	1	0.891	0.987	0.591	0.74	0.977	0.867	0.571	0.69
3	2	1	0.925	0.986	0.725	0.836	0.979	0.952	0.571	0.714
4	1	1	0.927	0.994	0.725	0.838	0.978	0.95	0.542	0.69

Figure 7 depicts the confusion matrix results of our proposed CNN-LSTM-ATTENTION 1 and CNN-LSTM-ATTENTION 2 models.

Fig. 7

The confusion matrix results of models in scenario 2. In which (a), (b) respectively represent the results of CNN-LSTM- ATTENTION 1 and CNN-LSTM- ATTENTION 2 models.

The results in Fig. 7 show that the CNN-LSTM-ATTENTION 1 model gave superior performance compared to the CNN-LSTM-ATTENTION 2 model in the task of accurately detecting APT IPs. For the normal IP classification task, these models were equally effective. Comparing the results shown in Figs. 5 , 6 and 7 seeing that the confusion matrix results of our proposed models have been better than other models on both correctly detecting APT IPs and normal IPs.

4.4.4 Discussion

From 3 comparison scenarios with different evaluation methods, we have proved the complete superiority of the CNN-LSTM-ATTENTION model compared to some other deep learning models. The reason is that the CNN-LSTM-ATTENTION model with the combination of many different layers and models not only supports aggregating and extracting many important features, but also supports seeking, aggregating, and associating important IP features and characteristics based on the flow network. The experiment results show that the CNN-LSTM-ATTENTION model brought high efficiency for both detecting APT IPs and normal IPs, even though the experimental dataset has a huge difference between the number of normal data and attack data (the number of normal IPs is about 14 times more than the number of APT IPs). From the experimental results, we think that the CNN-LSTM-ATTENTION model is fully capable of applying to the real APT attack monitoring system because it satisfies 2 requirements of the system: the ability to analyze big data and the efficiency with imbalanced datasets. Besides, based on changing parameters in the proposed models, we want to provide options for the APT attack monitoring system when there is a trade-off between computation time and detection efficiency. Obviously, the more layers are used and the more complex network architecture is, the better the results are, but that requires more time and computational resources.

5 Conclusion and future direction

APT attack techniques are evolving more and more from methods to assistive technologies, making it more difficult for cyber-attack monitoring and detection systems. This study has successfully proposed the CNN-LSTM-ATTENTION model for APT attack detection. Specifically, regarding the process of selecting and extracting IP features in network traffic, with the support of the CNN-LSTM-ATTENTION model, we have succeeded in extracting information about abnormal IP behaviors based on statistical features of the flow network. The experimental results in Tables 6, 7 showed the superiority of the CNN-LSTM-ATTENTION model with other models. This has proven that our proposal is correct and reasonable. Regarding the task of detecting APT IPs, from Tables 6, 7 and Figs. 5 , 7, obviously, the CNN-LSTM-ATTENTION model has proven its effectiveness in finding and synthesizing important information, which helps the APT IP classifier works well despite the imbalance between the number of APT IPs and normal IPs. However, because the processing complexity of ATTENTION networks is different, the ATTENTION 1 network has been more efficient than the ATTENTION 2 network. Besides, to evaluate the effectiveness of each model, this study has conducted experiments, evaluated, and optimized parameters to find out a suitable CNN-LSTM-ATTENTION model that brought the best results for the task of detecting APT attacks. Tables 6 7 have proven that CNN-LSTM-ATTENTION 1 model with parameters [4 - 2 - 1] and CNN-LSTM-ATTENTION 2 model with parameters [4 -1-1] brought good effects not only for the ability to accurately detect APT attacks but also for limiting false detections. In further studies, to improve the efficiency of the APT attack detection process, we think that it is necessary to improve 2 main issues: i) the method of synthesizing and extracting IP features based on network traffic; ii) improving the ATTENTION network architecture.

Footnotes

Acknowledgments

This work has been sponsored by the Posts and Telecommunications Institute of Technology, Viet Nam

References

Alshamrani

E.A.

, Chowdhary

, Myneni

and Huang

, A Survey on Advanced Persistent Threats: Techniques, Solutions, Challenges, and Research Opportunities, IEEE Comm Surveys & Tutorials 1 (2019), 1–29.

Stojanović

, Hofer-Schmitz

and Kleb

, APT Datasets andAttack Modeling for Automated Detection Methods: A Review, Computers & Security 92 (2020), https://doi.org/10.1016/j.cose.2020.101734.

Yang

L.-X.

, Li

, Yang

and Tang

Y.Y.

, A Risk Management Approach to Defending Against the Advanced Persistent Threat, IEEE Transactions on Dependable and Secure Computing 16 (2020), 1163–1172. doi: 10.1109/TDSC.2018.2858786.

APT attacks on industrial companies in 2020. https://ics-cert.kaspersky.com/reports/2021/03/29/apt-attacks-on-industrial-companies-in-2020/. (Accessed January 23, 2021).

Lemay

, Calvet

, Menet

and Fernandez

, Survey of publicly available reports on advanced persistent threat actors, Computers & Security 72 (2018), 26–59.

Singh

, Sharma

P.K.

, Moon

S.Y.

, et al., A comprehensive study on APT attacks and countermeasures for future networks and communications: challenges and solutions, Supercomput 75 (2019), 4543–4574.

Ghafir

, Hammoudeh

, Prenosil

, Han

, Hegarty

, Rabie

and Aparicio-Navarro

F.J.

, Detection of advanced persistent threat using machine-learning correlation analysis, Future Generation Computer Systems 89 (2020), 349–359.

, Dai

, Bai

, Gan

, Wang

and Wang

, AnIntelligence-Driven Security-Aware Defense Mechanism for Advanced Persistent Threats, IEEE Transactions on Information Forensicsand Security 14 (2019), 646–661.

Marchetti

, Pierazzi

, Colajanni

and Guido

, Analysis of high volumes of network traffic for Advanced Persistent Threat detection, Computer Networks 109 (2019), 127–141.

10.

Milajerdi

S.M.

, Gjomemo

, Eshete

, Sekar

, HOLMES: Real-time APT Detection through Correlation of Suspicious Information Flows, Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP) (2019), 1137–1152.

11.

, Chen

, Zhuo

and Zhang

X.S.

, A temporal correlation and traffic analysis approach for APT attacks detection, Cluster Computing 22 (2019), 7347–7358.

12.

, Nguyen

H.D.

and Nikolaevich

T.V.

, Malicious URL Detection based on Machine Learning, International Journal of Advanced Computer Science and Applications 11(1) (2020), 148–153.

13.

Zimba

, Chen

H.S.

, Wang

and Chishimba

, Modeling and detection of the multi-stages of Advanced Persistent Threats attacks based on semi-supervised learning and complex networks characteristics, Future Generation Computer Systems 106 (2020), 501–517.

14.

Lajevardi

and Amini

, A semantic-based correlation approach for detecting hybrid and low-level APTs, Future Generation Computer Systems 96 (2019), 64–88.

15.

Bonilla

and Santiago Rey

Á.

, A New Proposal on the AdvancedPersistent Threat: A Survey, Applied Sciences 10 (2020), 38–74.

16.

Myneni

, DAPT 2020 - Constructing a Benchmark Dataset for Advanced Persistent Threats. In: G. Wang, A. Ciptadi, A. Ahmadzadeh (eds) Deployable Machine Learning for Security Defense. MLHat 2020, Communications in Computer and Information Science 1271 Springer, Cham. https://doi.org/10.1007/978-3-030-59621-7_8.

17.

Do Xuan

, Dao

H.M.

and Nguyen

H.D.

, APT attack detection based on flow network analysis techniques using deep learning, Journal of Intelligent & Fuzzy Systems 39(3) (2020), 4785–4801.

18.

Rubio

J.E.

, Alcaraz

, Roman

and Lopez

, Current cyber-defense trends in industrial control systems, Computers & Security 87 (2019), 101561. https://doi.org/10.1016/j.cose.2019.06.015.

19.

Yan

, Li

, Guo

and Meng

, Discovering suspicious APT behaviors by analyzing DNS activities, Sensors 20 (2020), 1–17.

20.

Friedberg

, Skopik

, Settanni

and Fiedler

, Combating advanced persistent threats: From network event correlation to incident detection, Computers & Security 48 (2020), 35–57.

21.

Xiang

, Guo

and Li

, Detecting mobile advanced persistent threats based on large-scale DNS logs, Computers & Security 96 (2020). https://doi.org/10.1016/j.cose.2020.101933.

22.

Cho

D.X.

and Nam

H.H.

, A method of monitoring and detecting APT attacks based on unknown domains, Procedia Computer Science 150 (2019), 316–323.

23.

Xuan

C.D.

, Duong

and Dau

H.X.

, A Multi-Layer Approach for Advanced Persistent Threat Detection Using Machine Learning Based on Network Traffic, Journal of Intelligent & Fuzzy Systems 40(6) (2021), 11311–11329.

24.

Xuan

C.D.

, Detecting APT Attacks Based on Network Traffic Using Machine Learning, Journal of Web Engineering 20(1) (2021), 171–190.

25.

Do Xuan

and Dao

M.H.

, A novel approach for APT attack detection based on combined deep learning model, Neural Comput & Applic 33 (2021), 13251–13264. https://doi.org/10.1007/s00521-021-05952-5.

26.

Zhang

, Huo

, Liu

, Weng

, Constructing APT Attack Scenarios Based on Intrusion Kill Chain and Fuzzy Clustering, Security and Communication Networks (2017), Article ID 7536381. https://doi.org/10.1155/2017/7536381.

27.

Bodström

and Hämäläinen

, A Novel Deep Learning Stack for APT Detection, Applied Sciences 9(6) (2020). https://doi.org/10.3390/app9061055.

28.

Chu

W.-L.

, Lin

C.-J.

and Chang

K.-N.

, Detection and Classification of Advanced Persistent Threats and Attacks Using the Support Vector Machine, Applied Sciences 9(21) (2019), 45–79.

29.

Tuor

, Kaplan

, Hutchinson

, Nichols

, Robinson

, Deep Learning for Unsupervised Insider Threat Detection in Structured Cybersecurity Data Streams, Proceedings of the AAAI-17Workshop on Artificial Intelligence for Cyber Security WS-17-04 (2017), 9–21.

30.

Eke

H.N.

, Petrovski

, Ahriz

, The use of machine learning algorithms for detecting advanced persistent threats, Proceedings of the 12th International on security of information and networks conference (2019), 1–8.

31.

Joloudari

, Haderbadi

, Mashmool

, Ghasemigol

, Band

S.S.

and Mosavi

, Early Detection of the Advanced Persistent Threat Attack Using Performance Analysis of Deep Learning, IEEE Access 8 (2020), 186125–186137.

32.

Ieracitano

, Adeel

, Morabito

F.C.

and Hussain

, A novel statistical analysis and autoencoder driven intelligent intrusion detection approach, Neurocomputing 387 (2020), 51–62.

33.

Sai Charan

P.V.

, Gireesh Kumar

, Mohan Anand

, Advance Persistent Threat Detection Using Long Short Term Memory (LSTM) Neural Networks, In: Somani A., Ramakrishna S., Chaudhary A., Choudhary C., Agarwal B. (eds) Emerging Technologies in Computer Engineering: Microservices in Big Data Analytics. ICETCE 2019. Communications in Computer and Information Science, vol 985. Springer, Singapore. https://doi.org/10.1007/978-981-13-8300-7_5.

34.

Hofer-Schmitz

, Kleb

and Stojanović

, The Influences of Feature Sets on the Detection of Advanced Persistent Threats, Electronics 10 (2021), https://doi.org/10.3390/electronics10060704.

35.

Sun

, Liu

, Li

, Liu

, Lu

, Hao

, Chen

, DL-IDS: Extracting Features Using CNN-LSTM Hybrid Network for Intrusion Detection System, Security and Communication Networks (2020), Article ID 8890306. https://doi.org/10.1155/2020/8890306.

36.

Office of National science and technology research programs - News detail. http://www.vpct.gov.vn/NewsDetail.html?newsId=392. (Accessed 6 september 2021).

37.

CIC Flow Meter. http://www.netflowmeter.ca/netflowmeter.html. (Accessed 1 september 2021).

38.

Niakanlahiji

, Wei

, Chu

, A Natural Language Processing Based Trend Analysis of Advanced Persistent Threat Techniques, Proceedings of the IEEE International Conference on Big Data (Big Data), (2018), 2995–3000.

39.

Feng

, Liu

, Yang

, Li

, Zhou

, Zhu

K.Q.

, Improving Attention Modeling with Implicit Distortion and Fertility for Machine Translation, Proceedings of COLING 2016, the 26th International Conference on Computational Linguistics: Technical Papers (2016), 3082–3092.

40.

, Gui

, Xu

, He

, A Convolutional Attention Model for Text Classification, Proccesing Natural Language Processing and Chinese Computing (2017), 183–195.

41.

Hernández

and Amigó

J.M.

, Attention Mechanisms and TheirApplications to Complex Systems, Entropy 23(3) (2021). https://doi.org/10.3390/e23030283.

42.

, Liu

, Yang

, Peng

, Zhou

, A Survey of Convolutional Neural Networks: Analysis, Applications, and Prospects, IEEE Transactions on Neural Networks and Learning Systems (2021), https://doi.org/10.1109/TNNLS.2021.3084827.

43.

Albawi

, Mohammed

T.A.

, Al-Zawi

, Understanding of a convolutional neural network, Proceedings of the International Conference on Engineering and Technology (ICET) (2017), 1–6.

44.

Hochreiter

and Schmidhuber

, Long Short-Term Memory, Neural Computation 9(8) (1997), 1735–1780.

45.

Duan

, Sathiya Keerthi

, Chu

, Shevade

S.K.

, Poo

A.N.

, Multi-category Classification by Soft-Max Combination of Binary Classifiers, Proceedings of the 4th International Workshop (2003), 125–134.

46.

Vaswani

, Shazeer

, Parmar

, Uszkoreit

, Jones

, Gomez

A.N.

, Kaiser

, Polosukhin

, Attention is All you Need, Proceedings of the NIPS 2017 (2017), 6000–6010.

47.

Malware Capture Facility Project. https://www.stratosphereips.org/datasets-malware. (Accessed 8 september 2021).

48.

Department of Information and Communications Soc Trang Province. https://sotttt.soctrang.gov.vn/Default.aspx?sname=sotttt&sid=1229&pageid=27530.(Accessed 8 september 2021).

Optimization of APT attack detection based on a model combining ATTENTION and deep learning

Abstract

Keywords

1 Introduction

1.1 Problem

1.2 Contributions

2 Related work

3 The proposed model

3.1 The model architecture

3.2.1 Proposing the CNN-LSTM-ATTENTION 1 model

4.1 Experimental dataset

Table 1 Components of experimental dataset N° Type Total Malicious Normal 1 Flows 3.068.915 871.914 (28.5%) 2.197.001 (71.5%) 2 IP 1690 118 (7%) 1572 (93%)

4.3 Installation requirements and classification measures

4.3.1 Installation requirements

4.3.2 Classification measures

4.4.1 Experimental results of scenario 1

Table 2 Results of detecting APT attacks using LSTM algorithm [33] N. of LSTM Evaluation of frame Evaluation of IP Acc Pre Rec F1 Acc Pre Rec F1 2 0.857 0.957 0.475 0.635 0.966 0.714 0.428 0.535 3 0.874 0.941 0.557 0.620 0.973 0.9375 0.4285 0.588 4 0.858 0.9761 0.475 0.635 0.970 0.833 0.4285 0.566

5 Conclusion and future direction

Footnotes

Acknowledgments

References

Table 1
Components of experimental dataset

N° Type Total Malicious Normal

1 Flows 3.068.915 871.914 (28.5%) 2.197.001 (71.5%)

2 IP 1690 118 (7%) 1572 (93%)