An Anomaly Behavior Characterization Method of Network Traffic Based on Spatial Pyramid Pool (SPP)

APT attacks have the characteristics of low frequency, stealth, and persistence. Achieving attack objectives and preventing trace-back often involve diverse tactics, various tools, and changing processes and patterns. Additionally, the goals of APT attacks are diverse. Apart from service disruptions or network outages, the main goals include remotely penetrating target hosts through the network to steal information, unauthorized encryption, and destructive wiping. Existing methods for characterizing attack features lack sufficient research on the communication methods and data transmission patterns used in attacks. In particular, due to the non-associated addresses, low frequency, fragmentation, and silent requirements of attacks, the features exhibited in a single session are increasingly minimal. Traditional approaches are no longer sufficient to address these challenges that relying solely on single-sample statistical features and "packet-sniffing" windowed traffic grouping detection methods. To tackle these issues, we propose a innovative approach to characterize network attack traffic based on Spatial Pyramid Pooling (SPP) by analyzing the attack communication methods and data transmission patters in the network session traffic of APT attacks with the remote information theft. Specifically, it employs derived feature attributes that integrate mean, total, and concentration characteristics to longitudinally extract multi-level spatiotemporal correlated behavioral features from aggregated multi-session sets. These features are then fused with single-session characteristics, ensuring that each session sample possesses both current traffic features and correlated properties of contextual session traffic. Additionally, this approach meets the requirements of fixed-length input for heterogeneous data in deep learning. Extensive experiments have been conducted to demonstrate that this method enhances the effective detection of APT attacks by deep learning models. Experiments results show that this approach exhibits superior timeliness, precision, and specificity when compared to Principal Component Analysis (PCA) artificial feature engineering methods and other methods based on fixed-length deep learning for raw data.