基于攻击上下文分析的多阶段攻击趋势预测

Multi-stage Attack Prediction Based on Attack Context Analysis

高级可持续威胁(Advanced Persistent Threat,APT)等多阶段攻击具有复杂多样性和隐蔽持续性的特点,给网络安全带来了极大的威胁。研究攻击方的攻击策略并对其后续攻击步骤进行预测,是防御方的一个重要研究课题。针对多阶段攻击趋势预测难的问题,该文提出了基于攻击上下文分析的多阶段攻击趋势预测算法,从系统日志中梳理攻击上下文并对后续的攻击趋势进行预测。该算法先通过因果图构建、异常日志序列提取、抽象文本表示等步骤实现对已有攻击上下文的分析,然后基于已经检测到的攻击序列,利用Transformer模型对后续攻击趋势进行预测。在开源的ATLAS数据集和HDFS数据集上对算法进行了验证。在ATLAS数据集的超过7000个序列中,该算法的单步预测准确率可达90%以上,五步预测准确率也能达到74%。实验表明基于攻击上下文分析的攻击趋势预测是一种可行的方法,为网络攻击预测研究提供了一种新思路。

Multi-stage attacks,such as Advanced Persistent Threat(APT),have the characteristics of complex diversity and concealment persistence,and pose a great threat to the network security.Therefore,to study the attack strategies of attackers and predict the subsequent attack steps is still an important research topic for defenders.In order to overcome the difficulty to predict the trend of multi-stage attacks,we propose a multi-stage attack trend prediction algorithm based on the attack context analysis,which analyzes the attack context from the system logs and predicts the subsequent attack steps.The proposed algorithm firstly fulfills the attach context analysis through the construction of causal graphs,the extraction of abnormal log sequences and the abstract text representation.Then,the subsequent attack steps are predicted using the Transformer-based model based on the detected attack sequences.The proposed algorithm has been evaluated on the released ATLAS dataset and HDFS dataset,and it has achieved the accuracy of more than 90%on one-step prediction and the accuracy of 74%on five-step prediction,among the more than 7000 sequences of ATLAS.The experiments demonstrate that it is practicable and reasonable to predict the trend of multi-stage attacks based on the attack context analysis.This also supplies a new idea for researches on network attack prediction.