摘要: |
网络攻击威胁日益严峻,攻击溯源是增强防御能力、扭转攻防局势的重要工作,攻击的同源分析是溯源的重要环节,成为研究热点。根据线索类型的不同,攻击同源分析可以分为基于恶意样本的同源分析和基于网络行为的同源分析。目前基于恶意样本的同源分析已经取得了较为显著的研究成果,但存在一定的局限性,不能覆盖所有的攻击溯源需求,且由于恶意代码的广泛复用情况,使得分析结果不一定可靠;相比之下,基于网络行为的同源分析还鲜有出色的成果,成为溯源工作的薄弱之处。为解决现存问题,本文提出了一种基于网络行为的攻击同源分析方法,旨在通过抽取并分析攻击者或攻击组织独特的行为模式而实现更准确的攻击同源。为保留攻击在不同阶段的不同行为特征,将每条攻击活动划分为5个攻击阶段,然后对来自各IP的攻击行为进行了4个类别共14个特征的提取,形成行为特征矩阵,计算两两IP特征矩阵之间的相似性并将其作为权值构建IP行为网络图,借助社区发现算法进行攻击社区的划分,进而实现攻击组织的同源分析。方法在包含114,845条告警的真实的数据集上进行了实验,凭借实际的攻击组织标签进行结果评估,达到96%的准确率,证明了方法在攻击同源分析方面的有效性。最后提出了未来可能的研究方向。 |
关键词: 攻击同源 网络行为 社区发现 高级持续性威胁 |
DOI:10.19363/J.cnki.cn10-1380/tn.2023.03.06 |
Received:November 30, 2021Revised:February 19, 2022 |
基金项目:本课题得到中国科学院青年创新促进会(No.2019163),国家自然科学基金项目(No.61902396),中国科学院战略性先导科技专项项目(No.XDC02040100)课题资助;获得中国科学院网络测评技术重点实验室和网络安全防护技术北京市重点实验室资助。 |
|
Research on Network Behavior-based Cyberattack Grouping Method |
BAI Bo,FENG Yun,LIU Baoxu,WANG Xutong,HE Songlin,YAO Dunyu,LIU Qixu |
Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;Beijing Institute of Network Data, Beijing 100084, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China;Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China |
Abstract: |
The threat of cyberattacks is becoming more and more serious. Cyberattack attribution is a significant work to enhance defense capability and reverse the situation of attack and defense. Attack grouping analysis is an important part of attack attribution and has become a research hotspot. According to different types of clues, attack grouping analysis can be divided into grouping analysis based on malware and grouping analysis based on network behavior. At present, grouping analysis based on malware has achieved remarkable research results, but there are some limitations, which cannot cover all the requirements of attack attribution, and the analysis results are not necessarily reliable due to the widely reuse of malicious code. In contrast, grouping analysis based on network behavior has few outstanding results, which has become the weakness of attack attribution. In order to solve the existing problems, this paper proposes an attack grouping analysis method based on network behavior, which aims to achieve more accurate attack grouping by extracting and analyzing the unique behavior patterns of attackers or attack organizations. In order to retain the different behavioral characteristics of the attack in different stages, one attack activity is recognized into five attack stages, and then a total of 14 features of four categories are extracted from the attack behavior of each IP to form the behavior feature matrix. Then, calculate the similarity between every two IP feature matrices, and treat them as weights to construct the IP behavior network diagram. By using the community discovery algorithm, the attack community is divided, and then the grouping analysis of attack organizations is realized. The experiments were conducted on real datasets which include 114,845 warnings. The results were evaluated with the actual attack organization tags, and the accuracy was 96%, which proved the effectiveness of the method in attack homology analysis. Finally, the possible research directions in the future are put forward. |
Key words: attack grouping network behavior community discovery APT |