LogShield: A New Framework That Detects The APT Attack Patterns

There have been several cases of GPT model-based detection for various attacks from system logs.
已经有几例基于 GPT 模型的检测来自系统日志的各种攻击。

However, there has been no dedicated framework for detecting APTs as they use a low and slow approach to compromise the systems.
但是，还没有专门的框架来检测 APT，因为它们使用低速和慢速的方法来破坏系统。

Security researchers have recently unveiled a cutting-edge framework known as LogShield. This innovative tool leverages the self-attention capabilities of transformers to identify attack patterns associated with Advanced Persistent Threats (APTs).
安全研究人员最近推出了一个名为 LogShield 的尖端框架。这一创新工具利用转换器的自注意力功能来识别与高级持续性威胁 （APT） 相关的攻击模式。

By analyzing network logs, LogShield can detect subtle indicators of APTs that may have otherwise gone unnoticed, providing a powerful defense against these sophisticated attacks.
通过分析网络日志，LogShield 可以检测出可能被忽视的 APT 的细微指标，从而为这些复杂的攻击提供强大的防御。

According to the researchers, the efficiency of this framework has been reported to be 95% and 98%.
据研究人员称，据报道，该框架的效率分别为 95% 和 98%。

LogShield 日志盾

The main purpose of using language models for detecting malicious events is because they have been designed to process large sequences of words or log data, which is useful when processing records of events on a cyber attack.
使用语言模型检测恶意事件的主要目的是因为它们被设计用于处理大量单词或日志数据，这在处理网络攻击事件记录时非常有用。

Additionally, the self-attention mechanism of GPT models can assign different weights to different events based on their relativity to the APTs and can be adjusted concerning the event’s importance.
此外，GPT 模型的自注意力机制可以根据不同事件对 APT 的相对性为不同事件分配不同的权重，并可以根据事件的重要性进行调整。

Machine learning techniques have been used to detect attack patterns instead of rule-based or signature-based attack detection methods, which have relatively low performance when detecting Zero-Day APTs.
机器学习技术已被用于检测攻击模式，而不是基于规则或基于签名的攻击检测方法，后者在检测零日APT时性能相对较低。

Moreover, several deep learning-based methods have been explored to detect APT attacks.
此外，还探索了几种基于深度学习的方法来检测 APT 攻击。

Limitations Of LogShield LogShield 的局限性

Though LogShield has superior performance, there is a limitation to this framework. As it has high performance, it also comes with an increased memory consumption and longer computational time. As part of the research, LogShield and LSTM models have been used. 
尽管 LogShield 具有卓越的性能，但此框架存在局限性。由于它具有高性能，它还增加了内存消耗和更长的计算时间。作为研究的一部分，使用了 LogShield 和 LSTM 模型。

However, after many experiments, efficiency was achieved with a 98% F1-score in APT detection.
然而，经过多次实验，APT 检测的 F1 分数达到 98%。

A report about LogShield has been published, providing detailed information about the training models using their statistical data and other information.
关于 LogShield 的报告已经发布，其中提供了有关使用其统计数据和其他信息的训练模型的详细信息。

原文始发于Eswar：LogShield: A New Framework That Detects The APT Attack Patterns