基于SIEM系统的APT攻击检测框架

APT attack detection framework based on SIEM system

针对高级持续性威胁(advanced persistent threat,APT)攻击具有潜伏期长、隐蔽性高、针对性强、持续时间长的特点,提出了基于安全信息和事件管理(security information and event management,SIEM)系统的APT攻击检测框架.框架分为网络边界日志分析和内部网络流量分析两大模块,网络边界日志分析模块采用大数据分析技术,实时对各类安全防护设备产生的海量异构安全日志和流量统一整合关联、采用特征码检测技术构建第一层恶意代码检测,在网络边界或主机边界形成对APT攻击的第一道防线;内部网络流量分析模块采用大数据分析技术对内部网络流量进行过滤、与边界日志分析模块联动、结合基于图编辑距离的静态同源分类技术构建第二层恶意代码检测,重点防御C&C加密信道、0day漏洞、变形木马.通过网络取证分析实现了全流量回溯技术发现异常、布隆算法过滤入侵行为、虚拟执行分析技术还原APT攻击事件,以此形成内部网络APT攻击防线.

According to APT attack,which has the characteristics of long latency,high concealment,strong pertinence and long duration,a detection framework of APT attack based on SIEM system is proposed.The framework is divided into two modules:network boundary log analysis module and internal network traffic analysis module.The network boundary log analysis module uses big data analysis technology to integrate and correlate the massive heterogeneous security logs and traffic generated by various security protection devices in real time,and uses signature detection technology to build the first layer of malicious code monitoring,forming the first line of defense against APT attacks at the network boundary or host boundary;The internal network traffic analysis module uses big data analysis technology to filter the internal network traffic,link with the boundary log analysis module,and combine the static homologous classification technology based on graph editing distance to build the second layer of malicious code detection,focusing on the defense of C&C encryption channels,0day vulnerabilities,and trojans.Through network forensics,we can realize full flow backtracking technology to find exceptions,Bloom algorithm filters intrusion behavior,and virtual execution analysis technology to restore APT attack events,so as to form an internal network APT attack defense line.