DeepTaskAPT: Insider APT detection using Task-tree based Deep Learning
This work addresses cybersecurity challenges for network defense by improving detection of insider threats, though it appears incremental as it builds on existing deep learning methods with a novel task generation approach.
The paper tackled insider Advanced Persistent Threat (APT) detection by proposing DeepTaskAPT, a task-tree based deep learning method using LSTM to identify anomalous behavior from sequential task logs, and it outperformed similar approaches like DeepLog with high accuracy and low false-positive rates on synthetic and real-world datasets.
APT, known as Advanced Persistent Threat, is a difficult challenge for cyber defence. These threats make many traditional defences ineffective as the vulnerabilities exploited by these threats are insiders who have access to and are within the network. This paper proposes DeepTaskAPT, a heterogeneous task-tree based deep learning method to construct a baseline model based on sequences of tasks using a Long Short-Term Memory (LSTM) neural network that can be applied across different users to identify anomalous behaviour. Rather than applying the model to sequential log entries directly, as most current approaches do, DeepTaskAPT applies a process tree based task generation method to generate sequential log entries for the deep learning model. To assess the performance of DeepTaskAPT, we use a recently released synthetic dataset, DARPA Operationally Transparent Computing (OpTC) dataset and a real-world dataset, Los Alamos National Laboratory (LANL) dataset. Both of them are composed of host-based data collected from sensors. Our results show that DeepTaskAPT outperforms similar approaches e.g. DeepLog and the DeepTaskAPT baseline model demonstrate its capability to detect malicious traces in various attack scenarios while having high accuracy and low false-positive rates. To the best of knowledge this is the very first attempt of using recently introduced OpTC dataset for cyber threat detection.