APT attack detection algorithm based on spatio-temporal association analysis in industrial network

The advanced persistent threat (APT) is the foremost threat to industrial network security today, and traditional feature detection based industrial intrusion detection systems arc often unable to detect the latest APT attacks. Existing researchers believe that theft of sensitive data is one of the important goals of APT attacks. In order to accurately identify the stealing behavior of the APT attack, a spatio-temporal association analysis is proposed to detect the APT attack in industrial network, which includes association rules mining, historical data retrieval and feature classification. Firstly, FP-Growth Algorithm on APT attack’s temporal features, spatial features and category features is adopted to mine the association rules. And then, the relation between APT attack’s features is analyzed, and the rules are explained semantically in combination with the features of APT attack historical data retrieval method based on Bloom filter algorithm. Finally, a multi-feature spatial weighted combined SVM classification detection algorithm which is used to detect abnormal APT attack session flows. Experiments show that our proposed algorithm has a good ability to detect hidden APT attacks, and the multi-feature spatial weighted combined SVM classification detection algorithm has higher detection accuracy and lower false alarm rate than traditional single classification detection, and it is also safe for industrial control security. In addition, our proposed algorithm uses less space and could judge whether the data is in the current data set rapidly.