a) Proposed content in the paper.

To resolve the above problems, in this study we propose a novel approach that combines FIE and RL. In which the FIE technique uses a combination of two main models, BiLSTM and Attention. And RL is a combination of 2 methods: Dropout for rebalancing data and contrastive learning for classification. Accordingly, two main tasks in the proposed FIERL model are:

Optimized extraction of abnormal behaviors of APT IPs based on FIE.

This process is conducted in 2 main phases:

• Phase 1: Aggregating and extracting information of IP in network traffic using the BiLSTM network.
• Phase 2: Evaluating and highlighting important information about IP features based on the Attention network.

Improving the efficiency of APT IP classification using RL.

The two main stages proposed in this task include:

• Phase 3: Data generation by using the Dropout method: Based on the vector obtained in phase 2, we proceed to generate additional data containing the features of APT attack to balance the number of labels in the experimental dataset by the Dropout method.
• Phase 4: APT IP classification by using contrastive learning: The Contrastive learning method has the function to find the feature vectors of APT attacks that have similarities and contrasts in the dataset. Then, pairs of similar data can be "pulled" together to learn higher-level features of each other, and conversely, contrasting pairs of data can be "pushed" away. With this approach, we will optimize the APT IP classification process.

b) The scientific basis of the proposed method.

Based on the analysis in section 1.1 and the contents described in the operation process of the FIERL model, we believe that this study will solve the 2 major disadvantages listed above as follows:

i) About the problem "The abnormal behaviors of APT attacks haven’t been built and synthesized yet": In this paper, instead of using only individual deep learning models or traditional deep learning networks, we propose an APT IP aggregation and extraction method using the FIE model. With the flexible combination of BiLSTM and Attention networks in the FIERL model, we inherit and promote the advantages of each network for synthesizing and extracting important and meaningful information of APT IP based on network flow in network traffic. Specifically, we take advantage of the strength of BiLSTM, which is the ability to learn and memorize in two dimensions, to extract long‐distance features. Then, the Attention network with other components helps to highlight important and meaningful information, instead of just extracting by averaging like traditional approaches. With the support of these two advantages, the proposed FIERL model will surely build successfully and fully the behavioral profile of each APT IP in Network Traffic, thereby helping surveillance systems to identify new campaigns of APT attacks.

ii) About the problem "APT attack detection in imbalanced datasets": Obviously, with the use of advanced techniques such as data generation and contrastive learning, the FIERL model will certainly be better than other models in the ability to classify APT IP. Specifically, with the support of the Dropout network, the APT attack feature vectors will be additionally generated to balance the experimental dataset. Thus, our approach is different from traditional methods. Instead of just using balanced datasets on the number of normal IPs and APT IPs, we build unbalanced datasets and then use new techniques to reconstruct the structure of the dataset to generate a new dataset. Our approach is perfectly suited to the actual task of surveillance systems because the number of APT IPs is many times smaller than the number of normal IPs in the IP set collected by systems in practice. Next, the proposal to use contrastive learning will be a big step forward for abnormal behavior classification problems. The training process of this technique has many differences and optimizations compared to traditional deep learning and machine learning techniques. Contrastive learning is being considered as the trend of recognition and classification problems. Therefore, the combination of Dropout and contrastive learning techniques will help the surveillance system not only accurately recognize APT IPs, but also reduce the rate of false predictions of normal IPs.

3.2.1. Data preprocessing.

The CICFlowMeter tool [4,42] is suggested to extract flow networks in network traffic. It can analyze network traffic into flow networks and statistical features of flow networks. Specifically, CICFlowMeter analyzes each flow into 75 features. Based on the flows and 75 features as above, flows belonging to an IP are stacked into frames of size 100x75, where 100 is the number of flows in the frame and 75 is the number of features of each flow. However, the number of flows corresponding to each IP is different, so two special cases can happen: i) The number of flows exceeds 100: In this case, the flows are still stacked as k frames of size 100x75. Then the representative vector of the frame is the mean of these k frames; ii) The number of flows is less than 100: With IPs containing k flows (k < 100), (100 - k) zero vectors are padded so that the frame has a fixed size of 100x75.

3.2.2. Aggregating and extracting flow features using BiLSTM.

a) Introduction to the BiLSTM network

To extract flow features in the network traffic, the study [25] presented some combined deep learning network models such as CNN-LSTM, CNN-MLP, etc. However, in that study, the authors also explained some of the difficulties encountered by these networks in extracting features. However, when comparing and evaluating the effectiveness of these combined deep learning models with individual deep learning networks, the results show that the combined networks are much more effective than individual ones. From that, it can be seen that the idea of using combined deep learning networks to extract flow network features in network traffic is correct and reasonable. In this study, instead of using cumbersome combined deep learning networks, we propose to use the BiLSTM network for feature extraction. We take advantage of this network’s outstanding advantage, which is the ability to remember long distances and 2 dimensions, for attribute extraction. Accordingly, studies [43,44] introduced the BiLSTM model consisting of 2 parts: forward LSTM and backward LSTM. This allows the model to not only inherit the long-distance memory capacity of LSTM but also can remember 2-dimensional information. The two layers of LSTM generate two hidden states respectively, from forward LSTM and from backward LSTM. In which, integrates the forward information integrates the backward information. Determining the final state h_i by concatenating 2 states using Formula (1) below: (1)

Where:

• h_i is the state at state i (contains information from both directions)
• || is a join operation

The study uses a BiLSTM model with 2 hidden layers for the purpose of extracting and synthesizing features of the frames built in the previous step.

b) Flow feature extraction using BiLSTM

Accordingly, after flow networks are processed into frames as in section 3.2.1, these frames are put into BiLSTM networks to extract and combine features of adjacent flows (see Fig 1). Next, the result of this process is a vector containing the salient features of the frames. This context vector represents the outstanding features corresponding to each original frame.

3.2.3. Selecting and extracting IP features using attention.

a) Introduction to the Attention network

To extract and highlight important information about IP based on a flow network, the study [24] proposed to use of an Inference network. The inference network is a relatively widely used network in the natural language processing field. However, we found that using an Inference network for flow network-based IP feature extraction has many disadvantages. Specifically, it is difficult to calculate and represent the relationship between frames in general and flow networks in particular based on Inference networks because flow networks operate independently and have very little information related to each other. To resolve the issues of the Inference network in the study [24], in this paper we will use the Attention network. Attention is one model of great concern in the field of deep learning [32]. It is first introduced by Dzmitry Bahdanau et al. [45] for the problem of machine translation. Jiachen [46] proposed applying Attention to the text classification task. Besides, Colin Raffel [47] proposed the Attention model to resolve the problem with strings of medium and large lengths.

In this paper, we use the Attention network to highlight important features and information of IP through the flow network [32]. The use of the Attention network helps the research model to automatically learn and determine which frames are important and contribute more to the context vector of each IP. The Attention vector that carries the score information of the context vectors is calculated as follows (2): (2)

Where:

• Q, K, V are the weight matrices that need training model,
• coefficient d^k is the number of dimensions of the vector K.

b) Extracting IP features using the Attention network

At this phase, feature vectors of frames are passed through the Attention network to find and make stand out important features, rather than averaging like other classification methods. In particular, this process is as follows: First, after the BiLSTM model handles frame networks, all network’s hidden states are retained by flexibly combining processing blocks including Q, K, V, etc. Thus, the Attention network helps to create an output vector where the IP features are aggregated and made stand out by handling and evaluating the frame network. Obviously, there is a large difference between the output data of the BiLSTM model and that of the Attention network. Specifically, in the output vector of BiLSTM, features near the end are extracted and stored more than those at the front. In the output vector of Attention, the important features can appear anywhere because this vector contains features collected based on the entire data. From here it can be seen that with the support of the Attention network, the important features of IP based on the flow network are extracted and highlighted.

3.3.1. Rebalancing data.

After obtaining the Attention vectors from the Flow Feature Extraction block, we noticed that there is a significant difference between the number of normal IPs and the number of APT IPs in the dataset. Specifically, the number of normal IPs is about 16 times more than the number of APT IPs. Therefore, if this problem is ignored, it will greatly affect the training process of the model because it learns too much information about normal IP as well as blurs the information of APT IP. To solve the data imbalance in the training process, we propose to use the Rebalancing data method after the Attention network. To achieve this requirement, recent studies and approaches used the synthetic minority over-sampling technique (SMOTE) to balance the number of samples in each different class (remove in the majority class and generate more neighboring vectors in the minority class). This traditional approach has many advantages and has been applied in many papers in different fields. In this paper, we propose to use the Dropout technique to generate data. The descriptions in a) and b) below shows the advantages of Dropout over Smote.

a) Introduction to the SMOTE model

SMOTE is a sampling method to increase the sample size of the minority group in case of sample imbalance, proposed by Chawla in 2002 [48]. To generate new samples, this algorithm computes random linear interpolation between several samples and their neighboring ones. After a certain number of artificial minority samples are generated, the data imbalance rate will increase, and the categorical completeness of the unbalanced dataset is improved. It works by varying the frequencies of different layers in the data. Specifically, SMOTE randomly deletes some examples to subsample the majority class and generates composite examples to subsample the minority class until all classes have the same frequency. Specifically, SMOTE subsamples the majority class (i.e. randomly deletes some examples) while supersampling the minority class (by generating composite examples) until all classes have the same frequency. In the case of APT attack prediction, the minority class is an APT malware sample. SMOTE is effective in domains with unbalanced datasets. The execution procedure of the SMOTE algorithm is as follows [48]:

• For each minority set x_i (i = 1, 2, …, n), calculate its distance to other samples in the minority sample according to certain rules to obtain k nearest neighbor samples of it.
• According to the over-sampled gain, m nearest neighbor random samples will be as a subset of k nearest neighbor samples, of each set of x_i chosen and denoted by x_ij (j = 1, 2, …, m), then a built-up minority sample pij calculated using the following equation:

(3)

Where, rand(0,1) is a uniformly distributed random number in the interval [0,1]. The operation cycle of the algorithm will stop until the data merge reaches a certain imbalance ratio.

Comment: From the process and operation of Smote, it can be seen that this is a method of generating neighbor data based on the distance of samples with the same label in space. This approach has difficulties in applying to the APT attack datasets because the characteristics of APT attacks are much different from normal behaviors. Therefore, theoretically, we think that the Smote technique is effective for the APT attack detection model. However, it is not the best technique for creating APT attack detection models.

b) Proposal to use Dropout technique

To overcome the disadvantages of SMOTE in this paper, we propose to use Dropout. Dropout was first launched in 2014 [49] and is commonly used as a method to solve the problem of overfit learning during training by randomly disabling some connections from the previous layer (output is 0). The study [50] presented some concepts and definitions of Dropout. The research [51] used Dropout on a representation vector x = (x₁, x₂,…x_d), each component x_k (k = 1,2,…d) becomes:

Where: a_k~P is a random variable with the Bernoulli distribution:

Based on this idea, the study puts the Attention vector through the dropout function n times to create additionally n more samples have the same class with the same features and information as the initial context vector x_k. With this approach, the generated sample vectors still have neighboring properties with original feature vectors even though they are not generated by spatial distance. Detailed representations of the contribution of the Dropout method are described later in the study.

3.3.2. Representation learning method.

The trend of using Representation learning for classification problems is being applied a lot nowadays. In the study [52], the Representation learning method was used for the task of classifying source code vulnerabilities. Specifically, in their research, the authors proposed the Triplet Loss technique to optimize the source code vulnerability classification process. In this paper, we propose a new Representation learning method based on the Contrastive learning technique. Next, we will go into a detailed description of the technical characteristics of these two methods.

a) Introduction to Triplet Loss

Triplet Loss was first introduced at [53] in 2015 and is one of the most prevalent loss functions. Triplet Loss encourages that different pairs be at least a certain distance away from any similar pair. The loss value is calculated by the following formula: (4)

Where:

• p: is the sample with the same label as a
• n: is the sample with the different label as a
• d: is the distance function
• m: is the margin value to set negative samples apart

b) Proposal to use Contrastive learning

Contrastive learning has been applied to many problems both in Computer Vision [54] and NLP [55], showing remarkable efficiency, beating many SOTA models. The main idea of Contrastive learning is to find pairs of similar and contrasting data features in a dataset. From there, pairs of similar data can be "pulled" together to learn higher-level features of each other, and pairs of contrasting data can be "pushed" away. To do this, we use similarity metrics to calculate the distance between the embedding vectors representing the data points. For example, we already have an original data point called anchor, then we can use different augmentation techniques to get one more variation from the original anchor or consider data points with the same label in the dataset as positive samples, and consider the rest of the batch/dataset or other data points with a different label as negative samples. Then the model is trained to be able to classify positive samples and negative samples from a data cluster. In this paper, we propose to use Contrastive learning for the task of learning important features of feature vectors. The operation principle of the Contrastive learning method is as follows:

Suppose we have a set of data points . In which, x_i and are 2 data points that are similar or have the same label, x_i and are 2 data points that contrast or have different labels. Call are the representative vectors of respectively, then the training objective of a mini-batch N is defined as Formula (5): (5)

With L_i is defined according to Formula (6) as follows: (6)

Where: τ is a positive constant temperature hyperparameter,

• sim (h₁, h₂) is cosine similarity
• 1_B = 1 when B is true, otherwise 1_B = 0,
• N_y is the total number of samples in the mini-batch with the same label y,
• i is the index of the example in the mini-batch,
• k is the index of other examples in the mini-batch with the same label with the example index i or ,
• j is the index of other examples example has index i in mini-batch.
• h_k is the representative vector of .

3.3.3. APT IP classification.

With 2 techniques Triplet Loss and contrastive learning described in Section 3.3.2, we will conduct APT IP classification based on these techniques. The study [52] proposed combining MLP with Triplet Loss and also brought a relatively good effect. However, in our research, we propose to use Cross-Entropy Loss. The mathematical process of the two models is described in (a) and (b) as follows:

a) The classification model combining MLP and Triplet Losses

Embedding APT IP samples and normal IP samples in phase 2 tends to express a large degree of overlap in the object space. This lack of separation makes it difficult for the classification process to distinguish between APT samples and normal samples. To improve prediction performance, we use a model that can predict features from the original high overlap space into another space that provides better separation between APT samples and normal samples. For this, we use an MLP network designed to transform the input feature vector (x_g) into a latent representation denoted by h(x_g). To optimize the separation between APT samples and normal samples, we use a combination of three loss functions (Triplet Losses) as the loss function of the classification model. Triplet losses consist of 3 single loss functions: i) Cross Entropy (ℒ_CE); ii) Projection loss or Triplet Loss (ℒ_p); and iii) L2 Regularization (ℒ_reg). The mathematical formula below shows the relationship of Triplet losses.

(7)

Where: α and β are two hyperparameters representing the contribution of ℒ_p and ℒ_reg. The operating principles of each component in Triplet losses are as follows:

First, Cross Entropy is used to calculate the error in the classification result. The value of the Cross Entropy loss function increases when the probability that the predicted label differs from the actual label. It is expressed through the formula: (8)

Which, y is the actual label and ŷ is the predicted label.

Next, Triplet Loss is used to quantify how well the performance can separate vulnerable samples from non-vulnerable samples. A representation is said to be useful if all vulnerable samples in the potential space are close to each other and at the same time it will be far away from all non-vulnerable samples, i.e. samples from the same class will be very close together and samples from different classes will be far apart. Accordingly, the formula of the Triplet Loss function will be determined according to the following: (9)

Which, h(x_same)) is the latent representation of an instance belonging to the same class as x_g and h(x_diff)) is the latent representation of an instance of a class other than x_g. γ is a hyperparameter used to determine the minimum separation boundary. Finally, D(·) represents the cosine distance between the two vectors and is given by: (10)

If the distance between two samples belonging to the same class is large ( are large) or if the distance between two samples of different classes is small ( are small), then ℒ_p will represent the opposite relationship between different classes.

The last is L2 Regularization with the symbol ℒ_reg, this function is used to limit the magnitude of the latent representation (h(x_g)). We find that, over several iterations, the latent representation h(x_g) of input x_g tends to increase in size arbitrarily. Such an arbitrary increase of h(x_g) prevents the model from converging. Therefore, we use the loss function ℒ_reg to deal with latent representations h(x_g) of larger magnitude. The loss function ℒ_reg is described by the mathematical formula below: (11)

b) Proposing an APT IP classification model using contrastive learning and Cross-Entropy Loss

After the data is balanced by the Dropout method and clustered according to the same characteristics by contrastive learning, in this phase we proceed to classify behaviors of APT IPs to detect normal IPs and APT IPs. We propose to use one Fully Connected Layer after the Contrastive Learning block with Cross-Entropy Loss. The Cross-Entropy Loss function is expressed through the following formula: (12)

Where:

• h_i is the representation vector of x_i,
• σ(x) is sigmoid function.

Note that during this process, only parameters of the last classification layer are tuned, all parameters in the previous representation block are frozen.

4.4.1. Experimental results of scenario 1.

As is known, in this paper we propose a model with a combination of 4 different techniques: BiLSTM, Attention, Dropout, and Contrastive learning. Each model has different effects on the accuracy of the classification. However, changing the parameters of all 4 techniques at the same time is cumbersome and difficult. Therefore, we propose to evaluate each model individually based on 2 main combined models, FIE and RL. Tables 2 and 3 below show the experimental results of detecting APT attacks according to the approach of the paper.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 2. Experimental results of detecting APT attack when the FIE model’s parameters are changed and parameters τ and α of RL model are fixed at 0.1 and 0.1 respectively.

https://doi.org/10.1371/journal.pone.0305618.t002

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 3. Experimental results of detecting APT attack when the RL model’s parameters are changed and the FIE model’s parameters are fixed.

https://doi.org/10.1371/journal.pone.0305618.t003

To evaluate the influence of BiLSTM and Attention models in the process of extracting flow information, we change the number of nodes of the layers in turn. The results in Table 2 show that when changing the parameters of the BiLSTM and Attention models, the experimental results also change. However, this change is not too large and not even. Specifically, the best and lowest Accuracy results differ by about 1%. Similarly, for the Precision measure, this difference is about 3%. Finally, with the Recall and F1-score measures, these differences are 6% and 5%, respectively. On the other hand, it can be seen that, when the number of nodes in the BiLSTM layer is 128-256 and in the Attention layer is 256, the model gives the best results in which Accuracy, Recall, and Precision values are superior to remaining experiments. When the number of nodes is too small for the model to learn and extract important features in the flow network, the model doesn’t achieve the best performance. In contrast, when the number of nodes is large, the model focuses too much on the data points in the training set (overfitting phenomenon), which makes the classification result significantly reduces (Recall decreases by about 3% compared to the best model). This experimental result shows that in applying deep learning models and algorithms to the problem of detecting network attacks in general and APT attacks in particular, not that choosing the higher the parameters and the larger the model, the better the effect. The model must fit the characteristics of the experimental data. Table 3 below shows the APT attack detection results when only the RL model’s parameters are changed and the FIE model’s parameters are fixed according to the best results as shown in Table 2.

In Table 3, we fine-tune 2 parameters α and τ. In which α is the dropout probability, the larger α is, the more values in the representation vector are deactivated; τ is the temperature parameter that helps control the punishment with negative samples. Research [58] shows that the smaller τ is, the more contrastive loss tends to focus on regions of great similarity. However when τ is too small, the contrastive loss may focus on only a few samples that are most similar to the sample being trained, then this greatly affects the quality of the model.

Looking at Table 3, the model gives the best results when τ = 0.1 and α = 0.1 with the APT attack detection rate is up to 99%. It is easy to see that when the Dropout rate α is small, the data points generated from the Dropout layer are more similar to the original data points than the data points generated with the bigger Dropout rate α. This makes the model more compatible with a small Dropout rate α, when α gradually increases from 0.1 to 0.2, 0.3, the result decreases significantly. With temperature parameter τ, obviously with τ neither too small nor too large, the model has markedly better results in the APT attack classification task. When τ = 0.05 (too small), the model only focuses on a small area of similar data points, reducing Precision and Recall by about 4% compared to τ = 0.1. On the contrary, when τ = 0.2 (too large), the model is too affected by the distant data points that may not really be similar to the data point being considered, which directly affects the training results when Recall is also reduced by 4% compared to τ = 0.1.

Combining Tables 2 and 3, we select the model FIERL with the best parameters τ = 0.1, α = 0.1, BiLSTM is [128, 256], and Attention layer is 256. Fig 2 shows the best Confusion matrix results of applying the FIERL model for APT attack detection.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 2. Confusion matrix result of the FIERL model with the best parameters.

https://doi.org/10.1371/journal.pone.0305618.g002

The confusion matrix result of the model FIERL shows that the model correctly predicts 1,316 APT IPs out of a total of 1,474 APT IPs (89.28%) and has a false prediction rate of only 10.72%. Besides, for the prediction results of normal IPs, the FIERL model also gives very good prediction results when the false prediction rate of normal IPs is only 0.79%. Looking at the correct prediction rate of APT IPs as well as normal IPs, it can be seen that the APT IP prediction model is not effective. However, from a data perspective, this result is very good for APT detection models in reality. In particular, in the experimental dataset described in Table 2, the number of normal IPs accounts for a very large number of the total experimental IPs. The number of normal IPs is 20 times the number of APT IPs Therefore, with such a difference, the FIERL model still achieves the results shown in Fig 2, it is clear that the FIERL model has worked very well. This demonstrates the Feature Intelligent Extraction and Representation Learning techniques proposed in the paper have shown their effectiveness. This demonstrates that 2 techniques proposed in the paper, Feature Intelligent Extraction and Representation learning, have shown their effectiveness.

4.4.2. Experimental results of scenario 2.

The experimental results in Tables 2 and 3, and Fig 2 have shown the effectiveness of the model FIERL. In this scenario, we compare the FIERL model with some other models. Specifically, the paper replaces FIE with some other deep learning networks such as CNN, LSTM, and MLP. These experimental results are presented in section (a) below. Similarly, to evaluate the effectiveness of the RL method, we proceed to replace this method with some other combined model. Section (b) shows some results of replacement models: replace Dropout with Smote, replace Contrastive Learning with Triplet loss, and finally replace the whole RL model with some supervised machine learning algorithms.

a) Experimental results when replacing the FIE model with some deep learning networks

The experimental results in Table 4 show that when replacing the FIE model, experimental results significantly reduce. Specifically, when only using CNN to extract flow features, this model gives very low results. These results are lower than the results of the proposed model in the paper (shown in Table 3) by nearly 10% on all measures. When using the LSTM network to extract features, the result is better than using the CNN network, because the LSTM network can remember the features, so it extracts better flow features and helps the model to synthesize more IP features. However, it is still very poor compared to our proposed FIERL model. Finally, using the MLP-Inference combined model to extract flow features gives better performance than the LSTM and CNN models. The reason is that the MLP network helps to synthesize flow features, then with the support of the Inference network, relationships of flow networks are extracted and clarified. From here, normal and APT flow networks are clearly distinguished, thereby helping the Dropout-Contrastive network to promote its effectiveness in aggregating and classifying APT IPs. Fig 3 below describes the Confusion matrix results of deep learning networks used to replace the FIE model. The Confusion matrix results shown in Fig 3 again represent that deep learning models such as CNN, LSTM or MLP-Inference cannot give good performance for the task of classifying normal IPs and APT IPs. Comparing the results shown in Figs 2 and 3, it can be seen that there is a huge difference between the FIERL model and the other models. Specifically, when using CNN to replace FIE, this model incorrectly predicts up to 273 APT IPs. This false prediction result is higher than the FIERL model to 115 APT IPs. This difference in the model using LSTM is 80 APT IPs. Finally, the MLP-Inference combined network also incorrectly predicts 205 APT IPs, which is 47 APT IPs higher than our proposed FIERL model. From this, it can be concluded that using some deep learning models to replace the FIE model in the task of aggregating and extracting IP features is not effective. Therefore, the proposal to use the FIE model in this paper not only has scientific significance but also has great practical significance.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 4. Experimental results when replacing the FIE model with some deep learning networks.

https://doi.org/10.1371/journal.pone.0305618.t004

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 3. Confusion matrix results of models using deep learning networks to replace the FIE model.

In which (a): CNN; (b): LSTM; (c): MLP-Inference.

https://doi.org/10.1371/journal.pone.0305618.g003

b) Experimental results and evaluations for the RL model

In scenario 1, we have presented some experimental results to prove the effectiveness of the proposed model in the APT IP classification task. For this scenario, our purpose is to answer the following research question (RQ):

RQ: What is the role and importance of each Dropout and Contrastive Loss component in the task of optimizing APT attack detection? Why combine Dropout with contrastive loss? Why not other combined methods? Are other combined models more effective than the model combining Dropout and Contrastive Loss? To answer this RQ (ARQ), we conduct the following experiments:

ARQ1: Evaluating the role and effectiveness of the Dropout method in the task of rebalancing data. To accomplish this task, we use the Smote method to replace the Dropout method in the rebalancing data task. The experimental model is a combination of the FIE model with Smote and Contrastive Loss.

ARQ2: Evaluating the role and effectiveness of Contrastive Loss in the Representation Learning task by replacing the Contrastive Loss method with the Triplet Loss method. The experimental model is a combination of the FIE model with Dropout and Triplet Loss.

ARQ3: Don’t use Contrastive Learning. Specifically, after the data is processed by the Dropout method, it is classified by traditional machine learning and deep learning methods such as MLP and RF. The experimental model is a combination of the FIE model with MLP or RF.

Table 5 below presents the results of the proposed models in ARQ1, ARQ2, and ARQ3 under scenario 2.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 5. Experimental results when replacing components in the RL model.

https://doi.org/10.1371/journal.pone.0305618.t005

Based on the experimental results in Tables 2, 3 and 5, we have the following comments:

Comment #1 for ARQ1: Comparing the results of Tables 2 and 3 with Table 5, it can be seen that: The Dropout-Contrastive Loss combined model proposed by us yields better results than the Smote-Contrastive Loss combined model. This shows that the Dropout method is more effective than the Smote method in rebalancing data in the embedding space. So what is the reason that makes the Dropout method more effective than the Smote method? Fig 3 depicts the distribution of the dataset when using the Smote and Dropout methods to rebalance data.

Fig 4 shows that the Smote method has succeeded in adding new data points to help balance the distribution between two labels in the dataset. Comparing the data distribution in Fig 4(A) (using the SMOTE method) and Fig 4(B) (using the Dropout method), it is clear that the Dropout method has many advantages over the SMOTE method in the task of adding new data points from the original dataset. To generate a new data point, SMOTE uses interpolation between two or more neighboring data points in the representation space. From Fig 4, it is easy to see that SMOTE is quite sensitive to noisy data points, the newly generated data points are distributed unfocused and have a large variance, which changes the distribution of the original dataset. The Dropout method overcomes this shortcoming of Smote by using only one data point to generate similar data points. Although the generated data points don’t have a relationship between the proximity distances in the representation space like Smote, observing Fig 4(B) clearly shows that these data points still have similarities and neighbors in the representation space. In addition, Dropout is less sensitive to noise because the generated data points can only be located in neighboring the original data point (when the Dropout rate is not too large), this helps the dataset after balancing to keep the same distribution as in the original dataset. Furthermore, the Dropout method also uses fewer resources and has a much lower computation time than the Smote method. The reason is that to find out the neighboring data points in the Smote method, it must run a clustering algorithm such as KNN and then calculate to generate new data points. Besides, it is easy to see a serious problem when using Smote with large datasets: clustering models take a lot of time to find the closest neighbors to the original data point. In contrast, with Dropout, we simply combine the representation vector of the original data point with a sparse vector to generate a new data point. This further proves the suitability and advantages of using Dropout for the rebalancing data method.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 4. Comparing the difference in data distribution of the Smote and Dropout methods.

Where: (a): The data distribution of the Smote algorithm; (b): The data distribution of the Dropout algorithm.

https://doi.org/10.1371/journal.pone.0305618.g004

Comment #2 for ARQ2: The Dropout-Contrastive Loss combined model proposed by us brings much better performance than the Dropout-Triplet Loss combined model. This efficiency is most clearly demonstrated in the ability to accurately detect APT IPs when our proposed method brings about 1%-7% higher efficiency. Therefore, it can be concluded that Contrastive loss has better performance than Triplet loss in the task of training the model to give representation vectors Fig 5 below shows the data distribution after being processed by the Dropout-Triplet loss combined model.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 5.

(a): The data distribution when using a combination of Dropout and Triplet Loss; (b): The data distribution when using a combination of Dropout and Contrastive Learning.

https://doi.org/10.1371/journal.pone.0305618.g005

From Fig 5 it can be seen that: Due to the nature of Triplet loss, the model can only train through a pair of positive and negative data. However, the rebalancing data method by using Dropout that we propose can generate more than one pair. Therefore, with data that has a lot of positive samples generated, Triplet Loss doesn’t take full advantage of the rebalancing data methods. On the contrary, using Contrastive Loss successfully overcomes this limitation of Triplet Loss when it helps the model to train with data that has many positive samples generated, taking full advantage of rebalancing data methods.

Comment #3 for ARQ3: For models that don’t use representation learning, it is clear that their effectiveness is very low. Accordingly, if only using the Dropout method to generate data for the training model and without using the Contrastive loss method to optimize the classification process, it won’t effective. From Fig 4 in scenario 1 of the paper, we have presented the distribution of data after using the data rebalancing technique. From Fig 3, it can be understood that the cause of this problem is that the vector representation of APT IP and normal IP in the embedding space is still fragmented and not centrally distributed. This shows that classification methods such as MLP or RF are not capable of identifying and classifying normal IPs and APT IPs.

Comparing the distribution results in Fig 6, it is clear that our proposed method with the combination of Dropout and Contrastive loss classifies clusters containing normal and APT labels better than not using representation learning. The data points in Fig 6(A) are still discretely distributed, the APT labels and normal labels are not separate, reducing the classification ability of the model. Observing Fig 6(B), it is easy to see that not only the data points of the APT label are grouped and concentrated, but the data points belonging to the normal label are also distributed into neighboring small clusters, which significantly improves the classification results of the model. From here, it can be seen the success of combining the two methods: Dropout and Contrastive loss. Finally, comparing the experimental results in Table 5 with Tables 2 and 3, it can be seen that the model when not using the representation learning method has the worst performance on all measures.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 6.

Comparing the data distribution of the method without using representation learning (a) and using representation learning (b).

https://doi.org/10.1371/journal.pone.0305618.g006

4.4.3. Experimental results of scenario 3.

Scenarios 1 and 2 have respectively demonstrated the effectiveness of the proposed model as well as the role of each FIE and RL component in the task of synthesizing and classifying APT IP. For this scenario, we conduct experiments for some approaches on the dataset used in the paper. Specifically, the study evaluates some combined deep learning networks: CNN-LSTM [25], BiLSTM-GCN [4], and MLP-Inference-GCN [24]. Table 6 below shows the best experimental results of these approaches.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 6. Experimental results of scenario 3.

https://doi.org/10.1371/journal.pone.0305618.t006

From the experimental results in Table 6, it can be seen that the results of the proposed method in this study are much higher than other approaches on the same dataset. Accordingly, when compared with the study [4], our study is higher from 2% to 27% on all measures. In particular, the Recall of the study [25] is lower than our proposed model by nearly 50%. In general, in all other approaches, our research direction is higher from 5% to 49% according to the Recal measure. The remaining results are also about 10% higher. Although the research [24] has a higher Precision than our study by about 2%, it has a lower Recall than our approach by about 5%.