| 摘 要: 高级持续性威胁(Advanced Persistent Threat, APT)攻击溯源中日志事件数据与高层攻击意图之间存在映射断层、恶意信号往往被良性事件淹没,导致识别攻击点不准确以及难以关联形成攻击链。提出基于ATT&CK子技术与异构图注意力的溯源方法(APT Attack Provenance based on ATT&CK Subtechniques and Heterogeneous Graph Attention, AP-ATSHGA),该方法以ATT&CK子技术为粒度构建攻击原型库,首先根据日志数据构建异构溯源图,融合图卷积网络与扩展隔离森林算法,通过异常节点识别定位噪声环境中的可疑行为并提取相关子图;然后采用异构图注意力网络与时间约束,建模进程、文件、网络连接等多类型实体的交互及时序关系,构建攻击行为序列;最后利用门控循环单元捕获攻击序列特征,通过与攻击原型库进行相似度匹配,建立日志事件到子技术组合到攻击意图的语义映射,实现APT攻击场景重构。实验显示,在Kellect4APT数据集上子技术标签匹配准确率72.3%,技术与战术标签匹配准确率分别达76.1%与85.6%;在ATLAS数据集上攻击链重构F1值相比ATLAS基准方法提升9%,精准率达96%。 |
| 关键词: 高级持续性威胁 攻击溯源 ATT&CK 图注意力 时空协同 攻击场景重构 |
|
中图分类号:
文献标识码:
|
|
| APT Attack Provenance Method Based on ATT&CK Sub-techniques and Heterogeneous Graph Attention |
|
sunyibo, chenyunfang, zhangwei
|
Nanjing University of Posts and Telecommunications
|
| Abstract: In Advanced Persistent Threat (APT) attack attribution, there exists a semantic gap between log event data and high-level attack intent, where malicious signals are often buried in benign events. This leads to inaccurate identification of attack points and difficulty in correlating them into attack chains.We propose AP-ATSHGA (APT Attack Provenance based on ATT&CK Subtechniques and Heterogeneous Graph Attention), a provenance method that constructs an attack prototype library using ATT&CK subtechniques as granularity.The method operates in three stages:First, it constructs a heterogeneous provenance graph from log data, integrating Graph Convolutional Networks with the Extended Isolation Forest algorithm to identify anomalous nodes that locate suspicious behaviors in noisy environments and extract relevant subgraphs.Second, it employs a Heterogeneous Graph Attention Network with temporal constraints to model interactions and temporal relationships among multi-type entities such as processes, files, and network connections, thereby constructing attack behavior sequences.Finally, it utilizes Gated Recurrent Units to capture attack sequence features and performs similarity matching against the attack prototype library, establishing semantic mapping from log events through subtechnique combinations to attack intent, ultimately achieving APT attack scenario reconstruction.Experimental results demonstrate: On the Kellect4APT dataset, subtechnique label matching achieves 72.3% accuracy, with technique and tactic label matching reaching 76.1% and 85.6% respectively. On the ATLAS dataset, attack chain reconstruction F1-score improves by 9% compared to the ATLAS baseline method, with precision reaching 96%. |
| Keywords: Advanced Persistent Threat Attack Provenance ATT&CK; Graph Attention Spatio-Temporal Coordination Attack Scenario Reconstruction |
