Article Preview
TopIntroduction
The accelerated advancement and pervasive implementation of information technology have precipitated a significant escalation in the gravity of the network security predicament. In 2015, the Ukrainian power system was subjected to a series of advanced persistent threat (APT) attacks. These attacks involved the use of malware to disrupt the grid's power supply through a cyber intrusion, resulting in power outages for hundreds of thousands of residents (Case et al., 2016). In 2020, the cybersecurity firm FireEye discovered that network management software vendor SolarWinds' software products had been implanted by attackers with a backdoor program that communicated with the attackers' servers. Furthermore, it was found that key SolarWinds customers had been successfully infiltrated by purchasing and installing the software products. Finally, after SolarWinds' troubleshooting, it was determined that at least 300,000 large governmental organizations around the world had been affected (Arquilla & Guzdial, 2021). APT attacks are, by their very nature, stealthy in nature, capable of remaining undetected for extended periods of time, and are utilized by stealthy threat actors for the purpose of exerting political or economic influence or monetary gain (Ghafir et al., 2018a or b). As a sophisticated and stealthy attack method, APT represents a significant threat to government agencies, enterprises, and individual users. APT attacks are typically orchestrated by high-level attackers and involve a multi-stage, long-term attack process aimed at obtaining critical data or disrupting system functionality. Conventional approaches to APT detection rely on feature matching and rule-based systems, which are frequently inadequate in the context of unknown attacks. Consequently, the effective detection of APT attacks has become a pressing issue in the domain of network security. At present, the principal challenge in the detection of APT attacks can be attributed to three principal factors:
- 1.
Concealment: APT attackers are capable of remaining undetected within a system for extended periods by employing a strategy of gradual infiltration and exploitation of legitimate user privileges. The employment of traditional signature-based detection methods presents a significant challenge in the recognition of this particular type of attack activity.
- 2.
Diversity of attack patterns: APT frequently employ a multitude of techniques and methodologies, including spear phishing, lateral movement, elevation of privilege, and others. The diversity and variability of these attacks make it challenging to develop effective detection methods that rely on fixed rules or features.
- 3.
Data sparsity and imbalance: APT attack behaviors are notably scarce in the vast quantity of typical traffic data, and the available attack data is frequently insufficient, resulting in a data imbalance issue when training supervised models.
To advance detection capabilities against APT attacks, machine learning (ML)-based network traffic analysis has gained prominence in recent research. By autonomously extracting discriminative features from traffic data, ML algorithms not only identify subtle attack behaviors but also circumvent the rigidity of rule-based methods. Nevertheless, the dynamic and polymorphic nature of APT campaigns imposes critical challenges on existing approaches, particularly in handling high-dimensional feature spaces and sustaining accuracy under large-scale, heterogeneous attack scenarios.
Computational approaches inspired by biology, such as artificial immune systems, have been the subject of considerable attention due to their robust anomaly detection capabilities and adaptive nature. The incorporation of immune mechanisms inspired by the biological immune system has yielded promising outcomes in a range of application areas, including network security, optimized computing, fault diagnosis, and software repair (Corus et al., 2020). It is therefore evident that the detection of APT attacks with the assistance of immune mechanisms represents a highly significant and viable avenue for future research.