APT attacks detection based on provenance graph community discovery

• 1、School of Cyberspace Security, Beijing University of Posts and Telecommunications
• 2、Disaster Preparedness and Data Security Center, School of Cyberspace Security, Beijing University of Posts and Telecommunications

Abstract：Advanced Persistent Threats (APT) is a kind of complex attack behavior with sophisticated means, long latency and great harm. Therefore, it is very important to detect and block the abnormal behavior in time. In this paper, we studied the community behavior of nodes in different stages of APT attacks. Based on the community discovery algorithm with excellent performance in social networks and other fields, Louvain algorithm is improved to make it suitable for the community discovery of APT-attack provenance graph Then, based on the characteristics of APT attack behavior, features are extracted and unmarked data is processed by semi-supervised KNN algorithm. Finally, RIPPER algorithm is used to detect node APT abnormal behavior. The experimental results show that the algorithm proposed in this paper has improved the efficiency of community detection and the accuracy of attack behavior detection compared with previous studies in related fields.

Keywords： Data security and computer security Advanced Persistent Threats Detection Community Detection.