基于日志的Windows系统安全威胁识别技术

Detection Method of Windows System Security Attack Based on LSTM Model

网络安全对于大型企业十分重要,每年都会发生很多网络安全事件。针对大型企业的网络入侵通常由资深攻击者发起,通常称为高级持续威胁(APT)。APT运用了多种渗透技术,内网漫游就是其中的关键渗透步骤。内网漫游是指攻击者从一个内网主机渗透到其他内网主机,从而不断逼近关键主机或服务器。如果不能及时检测到攻击者的内网漫游,企业内网就会暴露在大规模数据泄漏的风险之下。作者在由众多Windows主机组成的企业内网中研究内网漫游检测,实现了2种基于日志的Windows系统安全威胁识别方法。为了评估实现的威胁识别方法,在企业内网中收集Windows日志构造真实数据集,利用HDBSCAN聚类技术和基于主成分分类(PCC)的统计技术实现了威胁识别。结果表明,这两种方法都能够从Windows安全日志中识别的异常登录行为。HDBSCAN识别的真阳性率(TPR)为85.63%,假阳性率(FPR)为8.29%。PCC检测异常登录的能力较低,TPR为59.81%,FPR为4.70%。本文的研究表明,基于日志的Windows系统安全威胁识别能有效检测入侵者内网横向漫游,提高Windows系统安全威胁识别能力。

Network security is very important for large enterprises,security incidents occur every year.Network intrusion against large enterprises is usually initiated by senior attackers,who are usually called advanced persistent threat(APT).APT uses a variety of penetration technologies,and the intranet roaming is the key step.Intranet roaming refers to that the attacker penetrates from one intranet host to other intranet hosts,so as to approach the key host or server continuously.If the attacker’s intranet roaming cannot be detected in time,the intranet will be exposed to the risk of large-scale data leakage.In this paper,we study the intranet roaming detection in the enterprise intranet composed of many Windows hosts,and realize two methods of Windows system security threat identification.In order to evaluate the threat identification method,we collect Windows logs in intranet to construct real data set,and use HDBSCAN clustering technology and principal component classification(PCC) based statistical technology to achieve threat identification.The results show that both methods can identify the abnormal login behavior from the windows security login.The true positive rate(TPR) and false positive rate(FPR) of HDBSCAN are 85.63% and 8.29%,respectively.The ability of PCC to detect abnormal login is low,TPR is 59.81%,FPR is 4.70%.The research of this paper shows that the security threat identification of windows system based on login can effectively detect the intruder’s roaming in the intranet,and improve the ability of Windows system security threat identification.