Hack Me If You Can: Aggregating AutoEncoders for Countering Persistent Access Threats Within Highly Imbalanced Data

TL;DR

This paper introduces AE-APT, a deep learning-based AutoEncoder ensemble designed to detect highly imbalanced Advanced Persistent Threats across multiple operating systems, outperforming existing methods in detection accuracy.

Contribution

The paper presents a novel AutoEncoder-based framework, including Transformer variants, for effective APT detection in highly imbalanced cybersecurity datasets.

Findings

AE-APT achieves higher detection rates than competitors.

The method is effective across multiple OS and attack scenarios.

Detection of rare APT-like attacks at 0.004% data prevalence.

Abstract

Advanced Persistent Threats (APTs) are sophisticated, targeted cyberattacks designed to gain unauthorized access to systems and remain undetected for extended periods. To evade detection, APT cyberattacks deceive defense layers with breaches and exploits, thereby complicating exposure by traditional anomaly detection-based security methods. The challenge of detecting APTs with machine learning is compounded by the rarity of relevant datasets and the significant imbalance in the data, which makes the detection process highly burdensome. We present AE-APT, a deep learning-based tool for APT detection that features a family of AutoEncoder methods ranging from a basic one to a Transformer-based one. We evaluated our tool on a suite of provenance trace databases produced by the DARPA Transparent Computing program, where APT-like attacks constitute as little as 0.004% of the data. The datasets span multiple operating systems, including Android, Linux, BSD, and Windows, and cover two attack scenarios. The outcomes showed that AE-APT has significantly higher detection rates compared to its competitors, indicating superior performance in detecting and ranking anomalies.