面向组织溯源的威胁行为技术关联研究

Research on threat behavior technique association for organization traceability

在网络入侵日趋组织化的今天,如何有效地对威胁组织进行追踪溯源是网络安全防御中的重要内容.威胁行为模式作为入侵受害者系统时的表现形式,于入侵者而言很难改变,是入侵者的一种高级特征.若能有效提取组织的威胁行为模式,那么将大幅提高组织溯源的成功率和准确率.为此,本文从组织行为模式的角度提出威胁行为技术关联算法.该算法扩展了Ward连接凝聚层次聚类,可通过对组织所使用的入侵技术进行聚类学习以提取组织的威胁行为模式,并以95%的置信度验证了威胁行为之间的技术关联性.本文通过该算法生成的威胁行为技术关联模型,包含97类威胁行为技术关联簇,每一类簇可直观地看到不同组织所对应的威胁行为模式,可为组织溯源提供有力支撑.

Nowadays,network attacks are becoming more and more organized.How to effectively trace the source of threat organizations is an important part of network security defense.As the manifestation of attacking the victim’s system,threat behavior pattern is difficult to change,and it is an advanced feature of the attacker.If the threat behavior patterns can be extracted effectively,the success rate and accuracy of the organization traceability will be greatly improved.Therefore,this paper proposes the threat behavior Technique Association Algorithm from the perspective of organizational behavior pattern.The algorithm extends the Ward connection aggregation hierarchical clustering,which can extract the threat behavior patterns of the organization by clustering the attack techniques used by the organization,and verifies the technical correlation between the threat behaviors with 95%confidence.In this paper,the threat behavior Technique Association model generated by the algorithm includes 97 types of threat behavior Technique Association clusters.Each cluster can directly reflect the corresponding threat behavior patterns of different organizations,which can provide strong support for organization traceability.