A Study on the Importance of Features in Detecting Advanced Persistent Threats Using Machine Learning

TL;DR

This paper analyzes the importance of different network traffic features in detecting Advanced Persistent Threats using machine learning, aiming to improve detection accuracy and robustness.

Contribution

It systematically evaluates feature importance across multiple APT cases with various classifiers and feature selection methods, providing practical insights for enhancing APT detection.

Findings

Certain features significantly improve detection accuracy

Feature selection techniques enhance model generalization

Insights aid in designing better APT detection systems

Abstract

Advanced Persistent Threats (APTs) pose a significant security risk to organizations and industries. These attacks often lead to severe data breaches and compromise the system for a long time. Mitigating these sophisticated attacks is highly challenging due to the stealthy and persistent nature of APTs. Machine learning models are often employed to tackle this challenge by bringing automation and scalability to APT detection. Nevertheless, these intelligent methods are data-driven, and thus, highly affected by the quality and relevance of input data. This paper aims to analyze measurements considered when recording network traffic and conclude which features contribute more to detecting APT samples. To do this, we study the features associated with various APT cases and determine their importance using a machine learning framework. To ensure the generalization of our findings, several feature selection techniques are employed and paired with different classifiers to evaluate their effectiveness. Our findings provide insights into how APT detection can be enhanced in real-world scenarios.