Predicting cyber attack preference of intruders is essential for security organizations to demystify attack intents and proactively handle oncoming cyber threats. In order to automatically analyze attack preferences of intruders, this paper proposes a novel framework, namely HinAp, to predict cyber attack preference using attributed heterogeneous attention network and transductive learning. Particularly, we first build an attributed heterogeneous information network (AHIN) of attack events to model attackers, vulnerabilities, exploited scripts, compromised devices, invaded platforms, and 20 types of meta-paths describing interdependent relationships among them, in which attribute information of vulnerabilities and exploited scripts are embedded. Then, we propose the attack preference prediction model based on attention mechanism and transductive learning, respectively. Finally, an automated model for predicting cyber attack preferences is constructed by stacking these two basic prediction models, which capable of integrating more comprehensive and complex semantic information from meta-paths and meta-graphs to characterize attack preference of intruders. Experimental results based on real-world data prove that HinAp outperforms the state-of-the-art methods in predicting cyber attack preferences of intruders.

预测入侵者的网络攻击偏好对于安全组织揭露攻击意图的神秘色彩并主动应对即将来临的网络威胁至关重要。为了自动分析入侵者的攻击偏好，本文提出了一种新颖的框架HinAp，该框架使用属性异构注意网络和转换学习来预测网络攻击偏好。特别是，我们首先建立攻击事件的属性异构信息网络（AHIN），以建模攻击者，漏洞，被利用的脚本，受感染的设备，入侵的平台以及描述它们之间相互依赖关系的20种类型的元路径，其中，漏洞的属性信息并嵌入被利用的脚本。然后，我们提出了基于注意力机制和转导学习的攻击偏好预测模型。最后，通过堆叠这两个基本的预测模型，构建了一个用于预测网络攻击偏好的自动化模型，该模型能够集成来自元路径和元图的更全面，更复杂的语义信息，以表征入侵者的攻击偏好。基于现实世界数据的实验结果证明，在预测入侵者的网络攻击偏好方面，HinAp优于最新技术。能够整合来自元路径和元图的更全面，更复杂的语义信息，以表征入侵者的攻击偏好。基于真实数据的实验结果证明，在预测入侵者的网络攻击偏好方面，HinAp优于最新技术。能够整合来自元路径和元图的更全面，更复杂的语义信息，以表征入侵者的攻击偏好。基于真实数据的实验结果证明，在预测入侵者的网络攻击偏好方面，HinAp优于最新技术。