摘要
高级持续性威胁(advanced persistent threat,APT)是当今工控网络安全首要威胁,而传统的基于特征匹配的工业入侵检测系统往往无法检测出最新型的APT攻击;现有研究者认为,敏感数据窃密是APT攻击的重要目的之一;为了能准确识别出APT攻击的窃密行为,对APT攻击在窃密阶段受控主机与控制与命令(Control and Command,C&C)服务器通信时TCP会话流特征进行深入研究,采用深度流检测技术,并提出一种基于多特征空间加权组合SVM分类检测算法对APT攻击异常会话流进行检测;实验表明,采用深度流检测技术对隐蔽APT攻击具备良好的检测能力,而基于多特征空间加权组合SVM分类检测算法较传统单一分类检测的检测精度更高,误报率更低,对工控网络安全领域的研究具有推进作用。
The advanced persistent threat(APT)is the foremost threat to industrial network security today,and traditional feature detection-based industrial intrusion detection systems are often unable to detect the latest APT attacks.Existing researchers believe that theft of sensitive data is one of the important goals of APT attacks.In order to accurately identify the stealing behavior of the APT attack,the APT attack in the stealing phase controlled host and the control and command(C&C)server communication TCP flow characteristics in-depth study,the use of depth flow detection technology,and proposed a a multi-feature spatial weighted combined SVM classification detection algorithm which is used to detect abnormal APT attack session flows.Experiments show that the use of depth flow detection technology has a good ability to detect hidden APT attacks,and the multi-feature spatial weighted combined SVM classification detection algorithm has higher detection accuracy and lower false alarm rate than traditional single classification detection,and it is also safe for industrial control security.The research has a promoting effect.
作者
赵澄
方建辉
姚明海
Zhao Cheng;Fang Jianhui;Yao Minghai(College of Information Engineering,Zhejiang University of Technology,Hangzhou 310023,China)
出处
《计算机测量与控制》
2018年第10期250-254,共5页
Computer Measurement &Control
关键词
高级持续性威胁
工控网络
深度流检测
组合分类检测算法
advanced persistent threat
industrial network security
deep flow detection
combined SVM classification