摘要： 传统的入侵检测系统无法应对日益增多和复杂的网络攻击(如高级持续性威胁)，因为可能在几个月内不能检测出隐蔽威胁事件并具有较高误报率。最近研究建议利用溯源数据来实现基于主机的入侵检测，溯源图是由溯源数据构造成的有向无环图。然而，以前的研究是提取了整个溯源图的特征，对图中的少量异常攻击实体（节点）不敏感，因此无法准确识别异常节点。提出了一种在溯源图节点级别上的APT实时检测方法。采用K-Means和轮廓系数相结合的方法对训练数据集中的良性节点进行聚类，生成良性节点簇，通过判断新节点是否属于良性节点簇来判别是否存在异常。在Unicorn SC-2和DARPA TC两种公共数据集上评估该方法，结果表明该方法准确率达到95.83%，并且能够准确识别和定位异常节点。

中图分类号： TP319
文献标识码： A
DOI： 10.19358/j.issn.2097-1788.2022.04.008
引用格式： 罗汉新，王金双，伍文昌. 基于溯源图节点级别的APT检测[J].网络安全与数据治理，2022，41(4)：49-55.

Detecting advanced persistent threats through provenance graph in node level

Abstract： Traditional intrusion detection systems cannot cope with the increasing number and sophistication of cyberattacks such as advanced persistent threats(APT). Because they may not detect stealthy threat incidents for several months and have a high false-positive rate. Recent studies propose leveraging provenance data to detect threats in a host. Provenance graph is a directed acyclic graph constructed from provenance data. However, previous studies, which extracted features of the whole provenance graph, were not sensitive to the small number of threat-related entities(nodes), so it is still difficult to identify and locate the real attack entities. We propose a real-time detection method in node level. The benign nodes are clustered into clusters using K-Means and silhouette coefficient methods. An node is considered abnormal if it does not fit into any of the model′s clusters. Unicorn SC-2 and DARPA TC datasets are used to evaluate this method. The evaluation shows that this method achieves 95.83% accuracy and can accurately locate the positions of anomalous nodes.

Key words : advanced persistent threats(APT)；intrusion detection；machine learning；provenance graph