Skip to main content
SpringerLink
Log in

A novel approach for APT attack detection based on combined deep learning model

  • Original Article
  • Published:
Neural Computing and Applications Aims and scope Submit manuscript

Abstract

Advanced persistent threat (APT) attack is a malicious attack type which has intentional and clear targets. This attack technique has become a challenge for information security systems of organizations, governments, and businesses. The approaches of using machine learning or deep learning algorithms to analyze signs and abnormal behaviors of network traffic for detecting and preventing APT attacks have become popular in recent years. However, the APT attack detection approach that uses behavior analysis and evaluation techniques is facing many difficulties due to the lack of typical data of attack campaigns. To handle this situation, recent studies have selected and extracted the APT attack behaviors which based on datasets are built from experimental tools. Consequently, these properties are few and difficult to obtain in practical monitoring systems. Therefore, although the experimental results show good detection, it does not bring high efficiency in practice. For above reasons, in this paper, a new method based on network traffic analysis using a combined deep learning model to detect APT attacks will be proposed. Specifically, individual deep learning networks such as multilayer perceptron (MLP), convolutional neural network (CNN), and long short-term memory (LSTM) will also be sought, built and linked into combined deep learning networks to analyze and detect signs of APT attacks in network traffic. To detect APT attack signals, the combined deep learning models are performed in two main stages including (i) extracting IP features based on flow: In this phase, we will analyze network traffic into networking flows by IP address and then use the combined deep learning models to extract IP features by network flow; (ii) classifying APT attack IPs: Based on IP features extracted in a task (i), the APT attack IPs and normal IPs will be identified and classified. The proposal of a combined deep learning model to detect APT attacks based on network traffic is a new approach, and there is no research proposed and applied yet. In the experimental section, combined deep learning models proved their superior abilities to ensure accuracy on all measurements from 93 to 98%. This is a very good result for APT attack detection based on network traffic.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

References

  1. Code E (2012) Advanced persistent threat: understanding the danger and how to protect your organization. Elsevier, Amsterdam

    Google Scholar 

  2. McAfee Inc CAP threats (2011) How to prevent, detect, and remediate APTs McAfee Inc Tech. rep

  3. Alshamrani A, Chowdhary A, Myneni S, Huang D (2019) A survey on advanced persistent threats: techniques, solutions, challenges, and research opportunities. IEEE Comm Surv Tutor 21(2):1851–1877

    Article  Google Scholar 

  4. Marchetti M, Pierazzi F, Colajanni M, Guido A (2016) Analysis of high volumes of network traffic for advanced persistent threat detection. Comput Netw 109(2):127–141

    Article  Google Scholar 

  5. Luh R, Marschalek S, Kaiser M, Janicke H, Schrittwieser S (2017) Semantics-aware detection of targeted attacks: a survey. J Comput Virol Hack Tech 13:47–85

    Article  Google Scholar 

  6. Stojanovic B, Hofer-Schmitz K, Kleb U (2020) APT datasets and attack modeling for automated detection methods: a review. Comput Secur. https://doi.org/10.1016/j.cose.2020.101734

    Article  Google Scholar 

  7. Bodström T, Hämäläinen T (2019) A novel deep learning stack for APT detection. App Sci. https://doi.org/10.3390/app9061055

    Article  Google Scholar 

  8. Chu WL, Lin CJ, Chang KN (2019) Detection and classification of advanced persistent threats and attacks using the support vector machine. App Sci. https://doi.org/10.3390/app9214579

    Article  Google Scholar 

  9. A Tuor, S Kaplan, B Hutchinson, N Nichols, S Robinson (2017) Deep learning for unsupervised insider threat detection in structured cybersecurity data streams. In: Proceedings of the 31st on artificial intelligence. San Francisco, pp. 1–8

  10. Yan G, Li Q, Guo D, Meng X (2020) Discovering suspicious APT behaviors by analyzing DNS activities. Sensors. https://doi.org/10.3390/s20030731

    Article  Google Scholar 

  11. HN Eke, A Petrovski, H Ahriz (2019). The use of machine learning algorithms for detecting advanced persistent threats. In: Proceedings of the 12th international on security of information and networks conference (SINCONF 2019), Sochi, pp.1–8

  12. Do XC, Dao MH, Nguyen HD (2020) APT attack detection based on flow network analysis techniques using deep learning. J Intell Fuzzy Syst 39(3):4785–4801

    Article  Google Scholar 

  13. SM Milajerdi, R Gjomemo, B Eshete, R Sekar (2019) HOLMES: Real-time APT detection through correlation of suspicious information flows. In: proceedings of the 2019 IEEE symposium on security and privacy (SP), CA, pp. 1137–1152. https://doi.org/10.1109/SP.2019.00026

  14. Ghafir I, Hammoudeh M, Prenosil V, Han L, Hegarty R, Rabie K, Aparicio-Navarro FJ (2018) Detection of advanced persistent threat using machine-learning correlation analysis. Futur Gener Comput Syst 89:349–359

    Article  Google Scholar 

  15. Li Y, Dai W, Bai J, Gan X, Wang J, Wang X (2019) an intelligence-driven security-aware defense mechanism for advanced persistent threats. IEEE Trans Inf Forensics Secur 14(3):646–661

    Article  Google Scholar 

  16. Niu W, Zhang X, Yang GuoWu, Zhu J, Ren Z (2017) Identifying APT malware domain based on mobile DNS logging. Math Probl Eng. https://doi.org/10.1155/2017/4916953

    Article  Google Scholar 

  17. Zhao G, Xu K, Xu L, Wu B (2015) Detecting APT malware infections based on malicious DNS and traffic analysis. IEEE Access 3:1132–1142

    Article  Google Scholar 

  18. Do Xuan Cho; Ha Hai Nam (2019) A method of monitoring and detecting APT attacks based on unknown domains. Proced Com Sci 150:316–323

    Article  Google Scholar 

  19. Jiazhong Lu, Chen K, Zhuo Z, Zhang XS (2019) A temporal correlation and traffic analysis approach for APT attacks detection. Clust Comput 22:7347–7358

    Article  Google Scholar 

  20. Zhang Ru, Huo Y, Liu J, Weng F (2017) Constructing APT attack scenarios based on intrusion kill chain and fuzzy clustering. Secur Commun Netw. https://doi.org/10.1155/2017/7536381

    Article  Google Scholar 

  21. Friedberg I, Skopik F, Settanni G, Fiedler R (2015) Combating advanced persistent threats: from network event correlation to incident detection. Comput Secur 48:35–57

    Article  Google Scholar 

  22. Cho DX (2021) Detecting APT Attacks Based on Network Traffic Using Machine Learning. J Web Eng 20(1):171–190

    Google Scholar 

  23. CICFlowMeter. Available online: http://www.netflowmeter.ca/netflowmeter.html (accessed on 1 December 2019)

  24. AH Lashkari; G Draper-Gil; MSI Mamun, AA Ghorbani (2017) Characterization of tor traffic using time based features. In: Proceedings of the 3rd international conference on information system security and privacy, Porto, pp. 253–262. https://doi.org/10.5220/0006105602530262

  25. G Drapper-Gil, AH Lashkari, MS Mamun, AA Ghorbani (2016) Characterization of encrypted and VPN traffic using time-related features. In: Proceedings of the 2nd international conference on information systems security and privacy (ICISSP 2016), Rome, pp 407–414, https://doi.org/10.5220/0005740704070414

  26. Svozil D, Kvasnicka V, Pospíchal J (1997) Introduction to multi-layer feed-forward neural networks. Chemom Intell Lab Syst 39(1):43–62

    Article  Google Scholar 

  27. Ramchoun H, Idrissi MAJ, Ghanou Y, Ettaouil M (2016) Multilayer perceptron: architecture optimization and training. Int J Interact Multimed Artif Intell 4(1):26–29

    Google Scholar 

  28. Aurélien G (2018) Neural networks and deep learning. O'Reilly Media, Inc

  29. Krizhevsky A, Sutskever I, Hinton GE (2012) Imagenet classification with deep convolutional neural networks. Neural Inf Pro Sys. https://doi.org/10.1145/3065386

    Article  Google Scholar 

  30. Ševo I, Avramovic A (2016) convolutional neural network based automatic object detection on aerial images. IEEE Geosci Rem Sens Lett 13(5):740–744

    Article  Google Scholar 

  31. M Engelcke, D Rao, DZ Wang, CH Tong, I Posner (2017) Vote3Deep: Fast object detection in 3D point clouds using efficient convolutional neural networks. In: proceedings of the 2017 IEEE international conference on robotics and automation (ICRA), Singapore, pp. 1355–1361, https://doi.org/10.1109/ICRA.2017.7989161.

  32. F Milletari, N Navab, SA Ahmadi (2016) V-Net: fully convolutional neural networks for volumetric medical image segmentation. In: Proceedings of the 2016 fourth international conference on 3D vision (3DV), Stanford, CA, pp. 565–571, https://doi.org/10.1109/3DV.2016.79.

  33. Moeskops P, Viergever MA, Mendrik AM, de Vries LS, Benders MJNL, Išgum I (2016) Automatic segmentation of MR brain images with a convolutional neural network. IEEE Trans Med Imaging 35(5):1252–1261

    Article  Google Scholar 

  34. Steve Lawrence C, Lee Giles Ah, Tsoi C, Back AD, Recognition F (1997) A convolutional neural-network approach. IEEE Trans Neural Netw 8(1):98–113

    Article  Google Scholar 

  35. Y Kim (2014) Convolutional neural networks for sentence classification. In: Proceedings of the 2014 conference on empirical methods in natural language processing (EMNLP), Doha, pp. 1746–1751. https://doi.org/10.3115/v1/D14-1181

  36. Dhillon A, Verma GK (2020) Convolutional neural network: a review of models, methodologies and applications to object detection. Prog Artif Intell 9:85–112

    Article  Google Scholar 

  37. Z Li, W Yang, S Peng, F Liu (2020) A survey of convolutional neural networks: analysis, applications, and prospects. arXiv:2004.02806

  38. K O’Shea, R Nash (2015) An introduction to convolutional neural networks.arXiv:1511.08458

  39. Hochreiter S, Schmidhuber J (1997) Long short-term memory. Neural Comput 9(8):1735–1780

    Article  Google Scholar 

  40. Sherstinsky A (2020) Fundamentals of recurrent neural network (RNN) and long short-term memory (LSTM) network. Phy D. https://doi.org/10.1016/j.physd.2019.132306

    Article  MathSciNet  Google Scholar 

  41. Malware Capture Facility Project. Available online: https://www.stratosphereips.org/datasets-malware. (accessed on 8 June 2020).

  42. Quang Nam Portal. Available online: http://english.quangnam.gov.vn/default.aspx (accessed on 8 June 2020).

  43. PV Sai Charan, T Gireesh Kumar, P Mohan Anand (2019) Advance persistent threat detection using long short term memory (LSTM) neural networks. In: Proceedings of the international conference on emerging technologies in computer engineering (ICETCE 2019). Jaipur, India, pp 45–54, https://doi.org/https://doi.org/10.1007/978-981-13-8300-7_5.

Download references

Acknowledgements

This work has been sponsored by the Posts and Telecommunications Institute of Technology, Viet Nam.

Author information

Authors and Affiliations

  1. Faculty of Information Technology, Posts and Telecommunications Institute of Technology, Hanoi, Vietnam

    Cho Do Xuan & Mai Hoang Dao

  2. Information Assurance Dept, FPT University, Hanoi, Vietnam

    Cho Do Xuan

Authors
  1. Cho Do Xuan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mai Hoang Dao
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

CDX raised the idea, initialized the project, and designed the experiments; MHD carried out the experiments under the supervision of CDX; both authors analyze the data and results; and CDX wrote the paper.

Corresponding author

Correspondence to Cho Do Xuan.

Ethics declarations

Conflict of interest

The authors declare no competing financial interests.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Do Xuan, C., Dao, M.H. A novel approach for APT attack detection based on combined deep learning model. Neural Comput & Applic 33, 13251–13264 (2021). https://doi.org/10.1007/s00521-021-05952-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00521-021-05952-5

Keywords

Search

Navigation