A Lightweight IDS for Early APT Detection Using a Novel Feature Selection Method

TL;DR

This paper introduces a lightweight, explainable intrusion detection system that uses a novel feature selection method with XGBoost and SHAP to detect early-stage APTs effectively, reducing features significantly while maintaining high accuracy.

Contribution

The paper presents a new feature selection approach combining XGBoost and SHAP for early APT detection, reducing features from 77 to 4 with high detection performance.

Findings

Reduced feature set from 77 to 4 features

Achieved 97% precision, 100% recall, 98% F1 score

Effective early-stage APT detection

Abstract

An Advanced Persistent Threat (APT) is a multistage, highly sophisticated, and covert form of cyber threat that gains unauthorized access to networks to either steal valuable data or disrupt the targeted network. These threats often remain undetected for extended periods, emphasizing the critical need for early detection in networks to mitigate potential APT consequences. In this work, we propose a feature selection method for developing a lightweight intrusion detection system capable of effectively identifying APTs at the initial compromise stage. Our approach leverages the XGBoost algorithm and Explainable Artificial Intelligence (XAI), specifically utilizing the SHAP (SHapley Additive exPlanations) method for identifying the most relevant features of the initial compromise stage. The results of our proposed method showed the ability to reduce the selected features of the SCVIC-APT-2021 dataset from 77 to just four while maintaining consistent evaluation metrics for the suggested system. The estimated metrics values are 97% precision, 100% recall, and a 98% F1 score. The proposed method not only aids in preventing successful APT consequences but also enhances understanding of APT behavior at early stages.