| 摘要: |
| 在飞速发展的信息时代和数据时代,网络攻击对个人隐私、工作生活乃至生命财产安全带来了严重威胁。而主机作为人类进行日常工作交流、生活娱乐、数据存储的重要设备,成为了网络攻击的主要目标。因此,进行主机攻击发现技术的研究是紧迫且必要的,而主机事件作为记录主机中一切行为的载体,成为了当今网络攻防领域的重点研究对象。攻击者在主机中的各种恶意操作会不可避免地被记录为主机事件,但恶意事件隐藏在规模庞大的正常事件中难以察觉和筛选,引发了如何获取主机事件、如何识别并提取恶意事件、如何还原攻击过程、如何进行安全防护等一系列问题的学术研究。本文对基于主机事件的攻击发现技术相关研究进行了广泛的调研和细致的汇总,对其研究发展历程进行了梳理,并将本文所研究的基于主机事件的攻击发现技术与入侵检测、数字取证两大研究方向从分析对象、分析方法、作用时间、分析目的4个方面进行了对比,阐明了本文所研究问题的独特之处,并对其下定义。随后,本文对基于主机事件的攻击发现技术涉及的关键概念进行了解释,提出了该领域面临的依赖关系爆炸和及时性两大问题,并将研究按照阶段划分为主机事件采集、主机事件处理、主机事件分析三个类别,分别介绍了三个类别围绕两大问题共计12个细分方向的研究成果和进展,最后结合研究现状提出了主机事件记录的完整性和可信性、攻击发现的时效性、跨设备的攻击发现、多步骤攻击的发现、算法的运用等5个未来可能的研究方向。 |
| 关键词: 主机安全|主机事件|攻击发现|攻击路径 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2023.07.03 |
| Received:March 19, 2020Revised:May 31, 2020 |
| 基金项目:本论文获得了中国科学院青年创新促进会(No. 2019163), 国家自然科学基金项目(No. 61902396), 中国科学院战略性先导科技专项项目(No. XDC02040100)课题资助; 获得中国科学院网络测评技术重点实验室和网络安全防护技术北京市重点实验室资助。 |
|
| A Survey of Attack Discovery Technology Based on Host Events |
| Feng Yun,Liu Baoxu,Zhang Jinli,Zhang Yue,Liu Qixu |
| Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China |
| Abstract: |
| In the rapidly developing era of information and data, cyberattacks pose a serious threat to human privacy, work and even the safety of life and property. As an important equipment for human to communicate in daily work, and for entertainment and data storage, the host has become the main target of cyberattacks. Therefore, it is urgent and necessary to study the host attack discovery technology. And as a carrier to record all behaviors in the host, host events have become the focus of research. Attackers' various malicious operations in the host will inevitably be recorded as host events. However, malicious events are hidden in large-scale normal events, that are difficult to detect and filter out, leading to academic research on a series of issues such as how to obtain host events, how to identify and extract malicious events, how to reconstruct the attack process, and how to conduct security protection. This paper has carried out extensive research and detailed summary on the research related to host event based attack discovery technology, and combed its research and development history, then compares with intrusion detection and digital forensics from four aspects: analysis object, analysis method, time of action, and analysis purpose. After, the definition of host event based attack discovery technology was conducted. Subsequently, this paper explains the key concepts involved. Two major problems which are dependency explosion and timeliness are pointed out. Then the research is divided into three categories according to the stages: host event collection, host event processing and host event analysis. The research results and progress of the three categories around the two major problems, which are 12 subcategories in total, are introduced respectively. Finally, the possible research directions in the future are pointed out according to the current research situation, including integrity and credibility of host event records, timeliness of attack discovery, cross-device attack discovery, multi-step attack discovery, and algorithm application. |
| Key words: host security|host event|attack discovery|attack path |
