摘要: |
定向网络攻击对网络空间安全构成了极大的威胁,甚至已经成为国家间网络对抗的一种主要形式。本文认为定向网络攻击难以避免,传统的以识别并阻断攻击为核心的防御体系不能很好地应对复杂先进的定向网络攻击,遂提出将追踪溯源作为威慑性防御手段。本文给出了定向网络攻击追踪溯源的形式化定义和分类;充分借鉴了网络欺骗等领域的研究成果,提出通过构建虚实结合的网络和系统环境,采用主被动相结合的方式,追踪溯源定向网络攻击;构建了包括网络服务、主机终端、文件数据、控制信道、行为特征和挖掘分析六个层次的定向网络攻击追踪溯源模型,并系统阐述了模型各层次的内涵及主要技术手段;以此模型为基础,建立了以"欺骗环境构建"、"多源线索提取"、"线索分析挖掘"为主线的追踪溯源纵深体系,多维度追踪溯源定向网络攻击;结合现有攻击模型、追踪溯源理论和典型溯源案例,论证了所建立的模型的有效性。 |
关键词: 定向网络攻击 追踪溯源 网络欺骗 APT |
DOI:10.19363/J.cnki.cn10-1380/tn.2019.07.01 |
Received:February 03, 2018Revised:June 21, 2018 |
基金项目:本课题得到中国科学院网络测评技术重点实验室和网络安全防护技术北京市重点实验室资助;得到国家重点研发计划(No.2016QY08D1602),中国科学院青年创新促进会,中国科学院战略先导C类(No.XDC02040100,No.XDC02030200,No.XDC02020200)课题资助。 |
|
A Hierarchical Model of Targeted Cyber Attacks Attribution |
LIU Chaoge,FANG Binxing,LIU Baoxu,CUI Xiang,LIU Qixu |
Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China;Institute of Electronic and Information Engineering of University of Electronic Science and Technology of China in Guangdong, Dongguan Guangdong 523808, China;Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou 510006, China |
Abstract: |
In recent years, the evolving targeted cyber attacks have posed a great threat to cyber security, and even become a major form of cyberwar among many countries. However, current defense methodologies, which generally focus on discovering and then blocking the known attacks, cannot deal with these advanced targeted cyber attacks effectively. To solve the problems to some degree, in this paper, we introduce an attribution method as an alternative methodology. Firstly, we give a formal definition and classification of Targeted Cyber Attacks Attribution, and then we introduce some research works on related fields (such as cyber deception) to attribution. We further deploy a well-designed Virtual-Actual attribution environment and attribute targeted attacks with both active and passive methods. To achieve this goal, we establish a new attribution model as well as build an attribution-in-depth system. The proposed model includes six levels including network services, hosts and terminals, files and data, command and control channels, behavioral characteristics as well as mining and analyzing. We describe the theoretical and technical details of each level. With the main thread of deception environment construction, multi-source clue extraction and data mining and analyzing, the attribution-in-depth system is designed to attribute targeted attacks from multiple dimensions. At last, we evaluate the proposed model from multiple perspectives including existing attack model, attribution theory and some typical attribution cases, and conclude that the proposed model can offer an effective way for targeted cyber attacks attribution. |
Key words: targeted cyber attack attribution cyber deception APT |