Advanced Persistent Threats (APTs) are prevalent in the field of cyber attacks, where attackers employ advanced techniques to control targets and exfiltrate data without being detected by the system. Existing APT detection methods heavily rely on expert rules or specific training scenarios, resulting in the lack of both generality and reliability. Therefore, this paper proposes a novel real-time APT attack anomaly detection system for large-scale provenance graphs, named RT-APT. Firstly, a provenance graph is constructed with kernel logs, and the WL subtree kernel algorithm is utilized to aggregate contextual information of nodes in the provenance graph. In this way we obtain vector representations. Secondly, the FlexSketch algorithm transforms the streaming provenance graph into a sequence of feature vectors. Finally, the K-means clustering algorithm is performed on benign feature vector sequences, where each cluster represents a different system state. Thus, we can identify abnormal behaviors during system execution. Therefore RT-APT enables to detect unknown attacks and extract long-term system behaviors. Experiments have been carried out to explore the optimal parameter settings under which RT-APT can perform best. In addition, we compare RT-APT and the state-of-the-art approaches on three datasets, Laboratory, StreamSpot and Unicorn. Results demonstrate that our proposed method outperforms the state-of-the-art approaches from the perspective of runtime performance, memory overhead and CPU usage.

中文翻译：

---

RT-APT：一种用于大规模来源图的实时 APT 异常检测方法


高级持续性威胁 （APT） 在网络攻击领域很普遍，攻击者采用先进的技术来控制目标并泄露数据，而不会被系统检测到。现有的 APT 检测方法严重依赖专家规则或特定的训练场景，导致缺乏通用性和可靠性。因此，本文提出了一种新颖的大规模溯源图实时 APT 攻击异常检测系统，命名为 RT-APT。首先，用核日志构建出处图，利用WL子树核算法聚合出处图中节点的上下文信息;通过这种方式，我们获得了向量表示。其次，FlexSketch 算法将流式来源图转换为特征向量序列。最后，对良性特征向量序列执行 K-means 聚类算法，其中每个聚类代表不同的系统状态。因此，我们可以识别系统执行过程中的异常行为。因此，RT-APT 能够检测未知攻击并提取长期系统行为。已经进行了实验以探索 RT-APT 可以发挥最佳性能的最佳参数设置。此外，我们还在 Laboratory、StreamSpot 和 Unicorn 三个数据集上比较了 RT-APT 和最先进的方法。结果表明，从运行时性能、内存开销和 CPU 使用率的角度来看，我们提出的方法优于最先进的方法。