摘要
近年来,针对政府机构、工业设施、大型公司网络的攻击事件层出不穷,网络空间安全已成为事关国家稳定、社会安定和经济繁荣的全局性问题。高级持续威胁(Advanced Persistent Threat,APT)逐渐演化为各种社会工程学攻击与零日漏洞利用的综合体,已成为最严重的网络空间安全威胁之一,当前针对APT的研究侧重于寻找可靠的攻击特征并提高检测准确率,由于复杂且庞大的数据很容易将APT特征隐藏,使得获取可靠数据的工作难度大大增加,如何尽早发现APT攻击并对APT家族溯源分析是研究者关注的热点问题。基于此,本文提出一种APT攻击路径还原及预测方法。首先,参考软件基因思想,设计APT恶意软件基因模型和基因相似度检测算法构建恶意行为基因库,通过恶意行为基因库对样本进行基因检测,从中提取出可靠的恶意特征解决可靠数据获取问题;其次,为解决APT攻击路径还原和预测问题,采用隐马尔可夫模型(HMM)对APT恶意行为链进行攻击路径还原及预测,利用恶意行为基因库生成的特征构建恶意行为链并估计模型参数,进而还原和预测APT攻击路径,预测准确率可达90%以上;最后,通过HMM和基因检测两种方法对恶意软件进行家族识别,实验结果表明,基因特征和HMM参数特征可在一定程度上指导入侵检测系统对恶意软件进行识别和分类。
In recent years,attacks against government agencies,industrial facilities and large corporate networks have emerged one after another.Cyberspace Security has become an overall issue related to national stability,social stability and economic prosperity.Advanced persistent threat(APT)has gradually evolved into a complex of various social engineering attacks and zero-day vulnerability exploitation,and has become one of the most serious cyberspace security threats.The current research on APT focuses on finding reliable attack features and improving detection accuracy.Due to the complex and huge data,it is easy to hide APT features,it makes it more difficult to obtain reliable attack features.How to find APT attacks as soon as possible and attribute to the source of APT family is a hot issue for researchers.Based on this,this paper proposes an APT attack path restoration and prediction method.Firstly,referring to the idea of software gene,the APT malware gene model and gene similarity detection algorithm are designed to construct the malicious behavior gene library.The samples are genetically detected through the malicious behavior gene library to extract reliable malicious features and solve the problem of reliable data acquisition.Secondly,in order to solve the problem of APT attack path restoration and prediction,hidden Markov model(HMM)is used to restore and predict the attack path of APT malicious behavior chain.The characteristics generated by malicious behavior gene library are used to construct the malicious behavior chain and estimate the model parameters,and then restore and predict the APT attack path.The prediction accuracy can reach more than 90%.Finally,the family identification of malware is carried out by HMM and gene detection.The experimental results show that the gene characteristics and HMM parameter characteristics can guide the intrusion detection system to identify and classify malware to a certain extent.
作者
陈伟翔
任怡彤
肖岩军
侯锐
田志宏
CHEN Weixiang;REN Yitong;XIAO Yanjun;HOU Rui;TIAN Zhihong(School of Computer Science and Cyber Engineering,Guangzhou University,Guangzhou 510006,China;NSFOCUS Technologies Group Co.,Ltd,Guangzhou 510006,China;State Key Laboratory of Information Security,Institute of Information Engineering of Chinese Academy Sciences,Beijing 100093,China)
出处
《信息安全学报》
CSCD
2023年第1期1-13,共13页
Journal of Cyber Security
基金
国家自然科学基金项目(No.U20B2046)
广东省高校创新团队项目(No.2020KCXTD007)
广州市高校创新团队项目(No.202032854)资助。
