引用本文: |
-
陈伟翔,任怡彤,肖岩军,侯锐,田志宏.面向APT家族分析的攻击路径预测方法研究[J].信息安全学报,2023,8(1):1-13 [点击复制]
- CHEN Weixiang,REN Yitong,XIAO Yanjun,HOU Rui,TIAN Zhihong.A Research on Attack-path Prediction Method for APT Organization[J].Journal of Cyber Security,2023,8(1):1-13 [点击复制]
|
|
摘要: |
近年来, 针对政府机构、工业设施、大型公司网络的攻击事件层出不穷, 网络空间安全已成为事关国家稳定、社会安定和经济繁荣的全局性问题。高级持续威胁(Advanced Persistent Threat, APT)逐渐演化为各种社会工程学攻击与零日漏洞利用的综合体, 已成为最严重的网络空间安全威胁之一, 当前针对 APT 的研究侧重于寻找可靠的攻击特征并提高检测准确率, 由于复杂且庞大的数据很容易将 APT 特征隐藏, 使得获取可靠数据的工作难度大大增加, 如何尽早发现 APT 攻击并对 APT 家族溯源分析是研究者关注的热点问题。基于此, 本文提出一种 APT 攻击路径还原及预测方法。首先, 参考软件基因思想, 设计 APT 恶意软件基因模型和基因相似度检测算法构建恶意行为基因库, 通过恶意行为基因库对样本进行基因检测, 从中提取出可靠的恶意特征解决可靠数据获取问题; 其次, 为解决APT攻击路径还原和预测问题, 采用隐马尔可夫模型(HMM)对APT恶意行为链进行攻击路径还原及预测, 利用恶意行为基因库生成的特征构建恶意行为链并估计模型参数, 进而还原和预测 APT 攻击路径, 预测准确率可达 90%以上; 最后, 通过 HMM 和基因检测两种方法对恶意软件进行家族识别, 实验结果表明, 基因特征和 HMM 参数特征可在一定程度上指导入侵检测系统对恶意软件进行识别和分类。 |
关键词: APT 攻击 恶意行为基因库 HMM 攻击路径还原及预测 恶意软件家族分类 |
DOI:10.19363/J.cnki.cn10-1380/tn.2023.01.01 |
投稿时间:2021-06-07修订日期:2022-02-25 |
基金项目:本论文得到国家自然科学基金项目(No. U20B2046), 广东省高校创新团队项目 (No. 2020KCXTD007), 广州市高校创新团队项目(No.202032854)资助。 |
|
A Research on Attack-path Prediction Method for APT Organization |
CHEN Weixiang1, REN Yitong1, XIAO Yanjun2, HOU Rui3, TIAN Zhihong1
|
(1.School of Computer Science and Cyber Engineering, Guangzhou University, Guangzhou 510006, China;2.NSFOCUS Technologies Group Co., Ltd, Guangzhou 510006, China;3.State Key Laboratory of Information Security, Institute of Information Engineering of Chinese Academy Sciences, Beijing 100093, China) |
Abstract: |
In recent years, attacks against government agencies, industrial facilities and large corporate networks have emerged one after another. Cyberspace Security has become an overall issue related to national stability, social stability and economic prosperity. Advanced persistent threat (APT) has gradually evolved into a complex of various social engineering attacks and zero-day vulnerability exploitation, and has become one of the most serious cyberspace security threats. The current research on APT focuses on finding reliable attack features and improving detection accuracy. Due to the complex and huge data, it is easy to hide APT features, it makes it more difficult to obtain reliable attack features. How to find APT attacks as soon as possible and attribute to the source of APT family is a hot issue for researchers. Based on this, this paper proposes an APT attack path restoration and prediction method. Firstly, referring to the idea of software gene, the APT malware gene model and gene similarity detection algorithm are designed to construct the malicious behavior gene library. The samples are genetically detected through the malicious behavior gene library to extract reliable malicious features and solve the problem of reliable data acquisition. Secondly, in order to solve the problem of APT attack path restoration and prediction, hidden Markov model (HMM) is used to restore and predict the attack path of APT malicious behavior chain. The characteristics generated by malicious behavior gene library are used to construct the malicious behavior chain and estimate the model parameters, and then restore and predict the APT attack path. The prediction accuracy can reach more than 90%. Finally, the family identification of malware is carried out by HMM and gene detection. The experimental results show that the gene characteristics and HMM parameter characteristics can guide the intrusion detection system to identify and classify malware to a certain extent. |
Key words: APT attack software gene HMM attack path reconstruction and prediction malware family classification |