摘要
随着攻击技术的不断演进,防御的难度也与日俱增.为了及时、有效地识别和阻断攻击的实施,学术界与工业界已提出众多基于攻击检测的防御技术.现有的攻击检测方法主要着眼于攻击事件,通过识别攻击特征或者定位异常活动来发现攻击,分别具有泛化性和攻击导向性不足的局限性,容易被攻击者精心构造的攻击变种绕过,造成漏报和误报.然而,根据观察发现:尽管攻击及其变种可能采用众多不同的攻击机制来绕过一些防御措施,以实现同一攻击目的,但是由于攻击目的不变,这些攻击对系统的影响依然具有相似性,因此,所造成的系统影响并不会随攻击手段的大量增多而随之产生对应的增长.针对这一特点,提出了基于攻击指标依赖模型的攻击检测方法,以更有效地应对攻击变种.所提出的指标依赖模型着眼于漏洞利用后对系统的影响而非变化多样的攻击行为,因此具有更强的泛化能力.基于模型指导,进一步采用多层次监控技术,以迅速捕获定位攻击迹,最终实现对目标攻击与变种的精确检测,有效降低攻击检测的误报率.在DARPA透明计算项目以及典型APT攻击组成的测试集上,与现有的基于攻击事件分析的检测方法进行实验对比,结果表明:在预设场景下,所提出的方法可以根据可接受的性能损耗实现99.30%的检出率.
With the continuous evolution of attack techniques,the difficulty of defense is increasing rapidly.In order to identify and block the attacks in a timely and effective manner,numerous detection-based defenses have been proposed in academia and industry.The current attack detection methods mainly focus on attack behaviors,and find attacks by identifying attack signals or locating abnormal activities.These solutions have the limitation of insufficient generalization and attack-orientation respectively and are easily bypassed by attackers’well-crafted behaviors,resulting in false positives and false negatives.Nevertheless,it is observed that the attacks and their variants usually leverage different attack mechanisms to bypass some defenses and achieve the same attack purpose.Since the attack purpose remains the same,the impact of these attacks on the system is still similar,so the caused system impact will not increase correspondingly with the large increase in attack methods.Based on the observation,an indicator-dependent model-based attack detection method is proposed to detect the attack variants more effectively.The proposed model focuses on the impact of the exploits on the system rather than the various attack behaviors,which is more generalizable.Based on the model,the multi-level monitoring technology is further adopted to quickly capture and locate attack traces,and finally the accurate detection of target attacks and variants is achieved,which effectively reduces the false alarm rate.The effectiveness of the proposed method is verified by the experiment,compared with existing attack behavior-based detection methods on the attack set composed of the DARPA transparent computing project and typical APT attacks.The experimental results show that the proposed solution is able to achieve 99.30%detection accuracy with an acceptable performance cost.
作者
王立敏
卜磊
马乐之
于笑丰
沈宁国
WANG Li-Min;BU Lei;MA Le-Zhi;YU Xiao-Feng;SHEN Ning-Guo(State Key Laboratory for Novel Software Technology(Nanjing University),Nanjing 210023,China;Department of Computer Science and Technology,Nanjing University,Nanjing 210023,China;Software Institute,Nanjing University,Nanjing 210093,China;Bussiness School,Nanjing University,Nanjing 210093,China;Huawei Technologies Co.Ltd.,Shenzhen 518129,China)
出处
《软件学报》
EI
CSCD
北大核心
2023年第6期2641-2668,共28页
Journal of Software
基金
国家自然科学基金(62232008,62172200)
江苏省前沿引领技术基础研究专项(BK20202001)。
关键词
指标依赖模型
攻击检测
漏洞利用
系统状态
indicator-dependent model
attack detection
exploition
system status