APTSID: An Ensemble Learning Method for APT Attack Stage Identification

Abstract

It is of great significance to identify security risks based on network traffic behavior. The application of AI technology for cyberspace brings more progress. Advanced Persistent Threat (APT) is known as one of the most sophisticated and potent security threats. It is still a big challenge for APT attack identification due to its long-term, concealed, and targeted attacks characteristic. In this work, we analyze the behavior of APT and focus on the multi-stage features, and then propose an ensemble learning method APTSID for APT attack stages identification. The result would provide decision-making assistance for security operators. We ensemble machine learning model and deep learning model to construct APTSID, in which there are two stages, first CNN is adopted to identify the abnormal traffic from normal traffic. Furtherly, we construct a multi-stage training dataset and use classic machine learning models to identify different APT attack stages. In the experiments, we compare different model ensemble methods. Experiment results show that CNN+XGBoost gives the best performance. It has an improving recall rate of about 10-15 % contrasted with other methods on DAPT 2020 dataset.