APT attack threat-hunting network model based on hypergraph Transformer
To solve the problem that advanced persistent threat (APT) in the Internet of things (IoT) environment had the characteristics of strong concealment, long duration, and fast update iterations, it was difficult for traditional passive detection models to quickly search, a hypergraph Transformer threa...
Saved in:
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | zho |
| Published: |
Editorial Department of Journal on Communications
2024-02-01
|
| Series: | Tongxin xuebao |
| Subjects: | |
| Online Access: | http://www.joconline.com.cn/zh/article/doi/10.11959/j.issn.1000-436x.2024043/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1841540077716504576 |
|---|---|
| author | Yuancheng LI Yukun LIN |
| author_facet | Yuancheng LI Yukun LIN |
| author_sort | Yuancheng LI |
| collection | DOAJ |
| description | To solve the problem that advanced persistent threat (APT) in the Internet of things (IoT) environment had the characteristics of strong concealment, long duration, and fast update iterations, it was difficult for traditional passive detection models to quickly search, a hypergraph Transformer threat-hunting network (HTTN) was proposed.The HTTN model had the function of quickly locating and discovering APT attack traces in IoT systems with long time spans and complicated information concealment.The input cyber threat intelligence (CTI) log graph and IoT system kernel audit log graph were encoded into hypergraphs by the model, and the global information and node features of the log graph were calculated through the hypergraph neural network (HGNN) layer, and then they were extracted for hyperedge position features by the Transformer encoder, and finally the similarity score was calculated by the hyperedge, thus the threat-hunting of APT was realized in the network environment of the Internet of things system.It is shown by the experimental results in the simulation environment of the Internet of things that the mean square error is reduced by about 20% compared to mainstream graph matching neural networks, the Spearman level correlation coefficient is improved by about 0.8%, and improved precision@10 is improved by about 1.2% by the proposed HTTN model. |
| format | Article |
| id | doaj-art-db559e82381b46d2aeb268a083a9e8bd |
| institution | Kabale University |
| issn | 1000-436X |
| language | zho |
| publishDate | 2024-02-01 |
| publisher | Editorial Department of Journal on Communications |
| record_format | Article |
| series | Tongxin xuebao |
| spelling | doaj-art-db559e82381b46d2aeb268a083a9e8bd2025-01-14T06:22:05ZzhoEditorial Department of Journal on CommunicationsTongxin xuebao1000-436X2024-02-014510611459383205APT attack threat-hunting network model based on hypergraph TransformerYuancheng LIYukun LINTo solve the problem that advanced persistent threat (APT) in the Internet of things (IoT) environment had the characteristics of strong concealment, long duration, and fast update iterations, it was difficult for traditional passive detection models to quickly search, a hypergraph Transformer threat-hunting network (HTTN) was proposed.The HTTN model had the function of quickly locating and discovering APT attack traces in IoT systems with long time spans and complicated information concealment.The input cyber threat intelligence (CTI) log graph and IoT system kernel audit log graph were encoded into hypergraphs by the model, and the global information and node features of the log graph were calculated through the hypergraph neural network (HGNN) layer, and then they were extracted for hyperedge position features by the Transformer encoder, and finally the similarity score was calculated by the hyperedge, thus the threat-hunting of APT was realized in the network environment of the Internet of things system.It is shown by the experimental results in the simulation environment of the Internet of things that the mean square error is reduced by about 20% compared to mainstream graph matching neural networks, the Spearman level correlation coefficient is improved by about 0.8%, and improved precision@10 is improved by about 1.2% by the proposed HTTN model.http://www.joconline.com.cn/zh/article/doi/10.11959/j.issn.1000-436x.2024043/advanced persistent threatthreat-huntinggraph matchinghypergraph |
| spellingShingle | Yuancheng LI Yukun LIN APT attack threat-hunting network model based on hypergraph Transformer Tongxin xuebao advanced persistent threat threat-hunting graph matching hypergraph |
| title | APT attack threat-hunting network model based on hypergraph Transformer |
| title_full | APT attack threat-hunting network model based on hypergraph Transformer |
| title_fullStr | APT attack threat-hunting network model based on hypergraph Transformer |
| title_full_unstemmed | APT attack threat-hunting network model based on hypergraph Transformer |
| title_short | APT attack threat-hunting network model based on hypergraph Transformer |
| title_sort | apt attack threat hunting network model based on hypergraph transformer |
| topic | advanced persistent threat threat-hunting graph matching hypergraph |
| url | http://www.joconline.com.cn/zh/article/doi/10.11959/j.issn.1000-436x.2024043/ |
| work_keys_str_mv | AT yuanchengli aptattackthreathuntingnetworkmodelbasedonhypergraphtransformer AT yukunlin aptattackthreathuntingnetworkmodelbasedonhypergraphtransformer |