引用本文
  • 韩雪莹,王泽辉,刘润时,刘松,姜波,卢志刚.高级持续性威胁检测技术研究综述[J].信息安全学报,已采用    [点击复制]
  • hanxueying,wangzehui,liurunshi,liusong,jiangbo,luzhigang.Overview of Advanced Persistent Threats Detection Technology[J].Journal of Cyber Security,Accept   [点击复制]
【打印本页】 【在线阅读全文】【下载PDF全文】 查看/发表评论下载PDF阅读器关闭

过刊浏览    高级检索

本文已被:浏览 243次   下载 0  
高级持续性威胁检测技术研究综述
韩雪莹1, 王泽辉1, 刘润时2, 刘松1, 姜波1, 卢志刚1
0
(1.中国科学院信息工程研究所;2.首都师范大学信息工程学院)
摘要:
近年来,在网络技术飞速发展给社会带来重大变革的同时,网络中的各类攻击行为日益增加,特别是高级持续性威胁逐年大幅增加,造成了严重后果,引起了工业界和学术界的广泛关注。高级持续性威胁(Advanced Persistent Threat,APT)是一种有针对性、组织性、隐蔽且高度复杂的攻击,检测难度高。如何快速准确地检测出APT攻击是当前迫切需要解决的问题,研究人员提出了大量解决方案,尝试从不同角度检测APT攻击,本文对这些研究进行了综述。本文首先介绍了APT的基本概念和常见攻击模型,从检测防御的角度对APT攻击阶段进行划分,并介绍了可用于检测APT攻击的检测载体,如恶意文件、网络流量、日志和外部知识;然后,从攻击阶段的角度将APT攻击检测方法划分为特定阶段检测和整体协同检测,详细梳理介绍了相应的检测方法并分析了其优缺点,其中特定阶段检测针对APT的各个阶段进行检测,包括侦察准备阶段检测、外部渗透阶段检测、命令与控制阶段检测、横向移动阶段检测和数据泄露阶段检测,整体协同检测结合多种数据针对APT全程进行检测;最后,本文讨论了现有检测方法的局限性和面临的挑战,并对未来的研究方向进行了展望。本文希望为APT检测技术的研究提供一些有益的参考。
关键词:  网络空间安全  高级持续性威胁  攻击阶段划分  检测载体分类  攻击检测模型
DOI:
投稿时间:2022-03-02修订日期:2022-06-09
基金项目:国家重点基础研究发展计划(973计划),国家自然科学基金项目(面上项目,重点项目,重大项目)
Overview of Advanced Persistent Threats Detection Technology
hanxueying1, wangzehui1, liurunshi2, liusong1, jiangbo1, luzhigang1
(1.Institute of Information Engineering, Chinese Academy of Sciences;2.Capital Normal University Information Engineering College)
Abstract:
In recent years, the rapid development of network technology has brought great changes to the society. At the same time, all kinds of attacks in the network are increasing, especially the advanced persistent threats (APT) are increasing significantly, which has attracted extensive attention from the industry and academia. APT is a targeted, organized, covert and highly sophisticated attack, which is difficult to detect than normal attacks. Therefore, how to detect APT attack quickly and accurately is an urgent problem to be solved at present. Researchers have put forward a large number of solutions and tried to detect APT attack from different aspects. This paper collects and summarizes these existing researches. Firstly, this paper introduces the basic concept of APT and common attack models, and divides the stages of APT attack from the perspective of detection and defense. This paper also introduces the detection carriers that can be used to detect APT attacks, such as malicious files, network traffic, logs and external knowledge. Then, this paper classifies the APT detection methods from the point of view of attack stages, and divides APT attack detection methods into specific stage detection methods and overall collaborative detection methods. This paper introduces the corre-sponding detection methods in detail and analyzes their advantages and disadvantages. Among them, the specific stage detection is used to detect each stage of APT. It includes detection of reconnaissance preparation stage, detection of external penetration stage, detection of command and control stage, detection of lateral movement stage and detection of data leakage stage. The overall collaborative detection is combined with a variety of data for the whole process of APT detection. Finally, the limitations and challenges of existing detection methods are discussed, and the future re-search directions are prospected. This paper hopes to provide some useful references for the research of APT detection technology.
Key words:  cyber security  Advanced Persistent Threats  attack stage division  detection carrier classification  attack detection model