| 引用本文: |
-
刘洋,包素艳,殷荣,刘博超,夏元清.基于分层状态机行为建模的高隐蔽攻击检测方法[J].信息安全学报,已采用 [点击复制]
- LIU Yang,BAO Suyan,YIN Rong,LIU Bochao,XIA Yuanqing.The High-Obfuscation Attack Detection Method Based on Hierarchical State Machine Behavior Modeling[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 随着云控制系统的广泛应用,传统的网络安全检测方法在有效识别高隐蔽性未知攻击方面面临显著挑战。现有基于已知攻击特征匹配的方法,在指令劫持、数据篡改等高隐蔽性和强针对性攻击场景中表现不佳,因为这些攻击模式往往偏离预定义的特征规则。为此,研究者提出了基于异常的检测方法。然而,现有方法多集中于单一节点的异常识别,缺乏对系统全局状态的综合分析。云控制系统通常由多个相互关联的子系统组成,涉及受网络与物理组件共同影响的复杂状态转换。因此,如何准确表达系统行为逻辑并设计有效的异常检测规则,已成为应对高隐蔽未知攻击的关键问题。为应对上述挑战,本研究提出了一种基于有向图与分层状态机的行为建模方法。该方法构建了终端行为、网络行为和系统行为的统一表达模式,同时捕获操作语义与交互依赖关系。其中,有向图用于建模分布式节点间的信息流路径与因果关系,而分层状态机则在不同抽象层面上形式化描述系统的状态转移规则与触发条件。基于这一集成模型,本研究搭建了仿真环境,支持对系统节点间信息流转及层级关系进行多维仿真分析,从而能够在多种运行场景下评估系统行为。在此基础上,本研究设计了七类基于业务逻辑的异常检测规则,覆盖终端、网络与系统三个层面。这些规则针对典型的攻击向量,包括未授权命令执行、异常数据流、权限提升以及与预设操作流程的偏离等。通过将检测机制与系统级业务语义相结合,所提方法能够识别那些可能逃避传统基于特征匹配或单节点检测方法的细微异常。所提方法在某实际云控制系统中进行了应用验证。实验结果表明,所开发的建模方法能够有效捕捉系统行为特征,异常检测机制在实现高检测准确率的同时保持了较低的误报率。研究结果证实了所提方法的可行性与有效性,为提升云控制系统应对复杂未知威胁的安全防护能力提供了稳健的技术方案。 |
| 关键词: 云控制系统 高隐蔽未知攻击 异常检测 有向图 分层状态机 行为建模 |
| DOI: |
| 投稿时间:2026-01-17修订日期:2026-04-01 |
| 基金项目: |
|
| The High-Obfuscation Attack Detection Method Based on Hierarchical State Machine Behavior Modeling |
|
LIU Yang1, BAO Suyan2,3, YIN Rong4, LIU Bochao5, XIA Yuanqing1
|
| (1.School of Automation, Beijing Institute of Technology;2.Beijing Aerospace Wanyuan Science &3.Technology;4.Institute of Information Engineering,Chinese Academy of Sciences;5.Beijing Institute of Astronautical Systems Engineering) |
| Abstract: |
| With the widespread adoption of cloud control systems, traditional network security detection methods face significant challenges in effectively identifying highly covert unknown attacks. Existing approaches that rely on matching known attack features perform poorly in scenarios involving stealthy and targeted threats such as command hijacking and data tampering, where attack patterns often deviate from predefined signatures. In response, researchers have proposed anomaly-based detection methods. However, most existing methods focus on anomaly detection at the level of individual nodes, lacking a comprehensive analysis of the overall system state. Cloud control systems typically consist of multiple interconnected subsystems and involve complex state transitions influenced by both cyber and physical components. Therefore, accurately representing system behavior logic and designing effective anomaly detection rules have become critical issues in addressing highly covert unknown attacks. To tackle these challenges, this study proposes a behavior modeling approach based on directed graphs and hierarchical state machines. The method constructs unified representation patterns for terminal behavior, network behavior, and system behavior, capturing both operational semantics and interaction dependencies. Directed graphs are employed to model the information flow paths and causal relationships among distributed nodes, while hierarchical state machines formalize the system’s state transition rules and triggering conditions across different abstraction levels. Based on this integrated model, a simulation environment is developed to support multidimensional analysis of information flows and hierarchical relationships among system nodes, enabling the evaluation of system behavior under various operational scenarios. Furthermore, seven types of anomaly detection rules grounded in business logic are designed, covering the terminal, network, and system levels. These rules target typical attack vectors including unauthorized command execution, abnormal data flows, privilege escalation, and deviations from predefined operational workflows. By aligning detection mechanisms with system-level business semantics, the proposed approach enables the identification of subtle anomalies that may evade conventional signature-based or single-node detection methods. The proposed approach is validated through application in an actual cloud control system. Experimental results demonstrate that the developed modeling method effectively captures system behavioral characteristics, and the anomaly detection mechanism achieves high detection accuracy with a low false positive rate. The findings confirm the feasibility and effectiveness of the proposed approach, offering a robust technical solution for enhancing the security posture of cloud control systems against sophisticated unknown threats. |
| Key words: Cloud Control System Highly Covert and Unknown Attacks Anomaly Detection Directed Graph Hierarchical State Machine Behavior Modeling |
