Early detection of the advanced persistent threat attack using performance analysis of deep learning

TL;DR

This paper evaluates deep learning and machine learning models for early detection of APT attacks using network traffic analysis, demonstrating that deep neural networks outperform other classifiers in accuracy and false positive rate.

Contribution

It introduces a deep neural network approach with multi-layered feature extraction for more effective APT attack detection on network traffic data.

Findings

Deep neural network achieved 98.85% accuracy.

Deep learning had the lowest false positive rate at 1.13%.

Compared models showed deep learning outperforms decision trees and Bayesian networks.

Abstract

One of the most common and important destructive attacks on the victim system is Advanced Persistent Threat (APT)-attack. The APT attacker can achieve his hostile goals by obtaining information and gaining financial benefits regarding the infrastructure of a network. One of the solutions to detect a secret APT attack is using network traffic. Due to the nature of the APT attack in terms of being on the network for a long time and the fact that the network may crash because of high traffic, it is difficult to detect this type of attack. Hence, in this study, machine learning methods such as C5.0 decision tree, Bayesian network and deep neural network are used for timely detection and classification of APT-attacks on the NSL-KDD dataset. Moreover, 10-fold cross validation method is used to experiment these models. As a result, the accuracy (ACC) of the C5.0 decision tree, Bayesian network and 6-layer deep learning models is obtained as 95.64%, 88.37% and 98.85%, respectively, and also, in terms of the important criterion of the false positive rate (FPR), the FPR value for the C5.0 decision tree, Bayesian network and 6-layer deep learning models is obtained as 2.56, 10.47 and 1.13, respectively. Other criterions such as sensitivity, specificity, accuracy, false negative rate and F-measure are also investigated for the models, and the experimental results show that the deep learning model with automatic multi-layered extraction of features has the best performance for timely detection of an APT-attack comparing to other classification models.