| 摘要: |
| 随着信息技术及应用的快速发展,各类物联网系统也面临着大量的信息安全风险和隐患,网络信息安全事件频繁发生。其中,以“震网病毒”攻击事件为代表的高级持续性威胁(Advanced Persistent Threat,APT),凭借其特有的高级性、持续性和针对性,成功窃取了政府、金融机构、大型企业等组织信息系统中的机密数据(或破坏了这些关键信息系统),这不仅阻碍了各行业生产经营活动的正常运行,还严重影响到了社会公共秩序安全乃至国家安全。鉴于APT攻击活动发生频率较低,单个设备很难获取充足的APT攻击数据,对攻击活动预测模型进行训练。针对上述APT攻击活动预测模型训练数据不足且分散的问题,本文提出了一种面向物联网系统的APT攻击活动预测方法(APT activities prediction method for IoT systems,APTPIS)。该方法首次应用联邦学习机制实现了物联网系统中可疑活动特征的聚合,并且无须预设关联规则。为了实现隐私保护特性,攻击活动预测模型采用了差分隐私数据扰动机制,在物联网终端设备数据特征中加入了Laplacian随机噪声,从而最大限度地保护了终端设备的数据隐私。利用训练后的攻击预测模型,设计了一种APT攻击活动预测流程,通过将系统当前产生的日志数据输入预测模型,可预测后序APT攻击活动出现的概率。仿真实验结果表明,APTPIS方法能够在保障终端设备数据隐私的前提下准确、高效地预测出物联网系统中后序APT攻击活动出现的概率。 |
| 关键词: 高级持续性威胁 联邦学习 攻击活动预测 物联网 差分隐私 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2025.07.12 |
| Received:September 14, 2022Revised:February 29, 2024 |
| 基金项目:本课题得到江苏省基础研究计划青年基金项目(No. BK20230558)、中国民航大学民航飞联网重点实验室开放基金(No. MHFLW202304)、新疆维吾尔自治区自然科学基金项目(No. 2024D01A40)资助。 |
|
| APT Attack Activity Prediction Method for Iot Systems |
| CHENG Xiang,KUANG Miaomiao,ZHANG Jiale,CHEN Weitong,LI Yun,YANG Hongyu |
| School of Information Engineering, Yangzhou University, Yangzhou 225127, China;Key Laboratory of Flying Internet, Civil Aviation University of China, Tianjin 300300, China;School of Safety Science and Engineering, Civil Aviation University of China, Tianjin 300300, China;School of Computer Science and Technology, Civil Aviation University of China, Tianjin 300300, China |
| Abstract: |
| With the rapid development of information technology and application, all kinds of network information systems are also coping with a large number of information security risks and hidden danger, and all kinds of network information security incidents occur frequently. Represented by the “Stuxnet”, Advanced Persistent Threats (APT) with its characteristic of advanced, sustainability, and targeted, have theft the confidential data (destroyed the critical information system) of government, financial institutions, large enterprises and other organizations. It not only arises all kinds of significant security risks in the information systems, hinders the normal operation of industry and business, and also seriously affects public security and even national security. As the APT attacks usually will not launch frequently, it is difficult for a single device to capture sufficient APT attack data, the data scale is not enough for training the attack activity prediction mode. Aiming at the problem of insufficient and scattered APT attack prediction data, we proposed an APT activities prediction method for IoT systems, named APTPIS to predict the probability of subsequent APT attacks occurred in IoT systems. It is the first time to apply a federated learning mechanism to aggregate suspicious activities features in the IoT systems, where the APT prediction phase does not need any correlation rules. Moreover, to achieve privacy-preserving property, we further adopt a differentially private data perturbation mechanism to add the Laplacian random noise to the IoT device training data features, so as to achieve the maximum protection of private data. Using the trained attack prediction model, a kind of APT attack activity prediction process is designed. Inputting the log data generated in the system into the prediction model, the probability of subsequent APT attack can be predicted. The experimental results show that APTPIS can accurately and efficiently predict the probability of subsequent APT attack activities occurring in the IoT system. |
| Key words: advanced persistent threat federated learning attack activity prediction Internet of Things differential privacy |
