摘要
网络攻击调查是实现主动防御、溯源反制的重要手段.面向高隐蔽、强对抗的现代网络攻击,研究高效率、自动化攻击调查方法,提升己方快速响应复杂网络攻击能力,是智能网络攻防关键技术之一.现有研究通过将系统审计日志建模成可表达攻击事件因果依赖关系的溯源图,利用溯源图强大的关联分析和语义表达能力,对复杂隐蔽网络攻击进行调查,相较传统方法效果提升显著.在全面收集分析基于溯源图的攻击调查研究工作的基础上,根据溯源图利用方式及特征挖掘维度的差异,将基于溯源图的攻击调查方法划分为基于因果分析、基于深度表示学习和基于异常检测三类,总结凝练每类方法具体工作流程和通用框架.梳理溯源图优化方法,剖析相关技术从理论向产业落地的能力演变历程.归纳攻击调查常用数据集,对比分析基于溯源图的攻击调查代表性技术和性能指标,最后展望了该领域未来发展方向.
Investigating network attacks is crucial for the implementation of proactive defenses and the formulation of tracing countermeasures.With the rise of sophisticated and stealthy network threats,the need to develop efficient and au⁃tomated methods for investigations has become a pivotal aspect of advance intelligent network attack and defense capabili⁃ties.Existing studies have focused on modeling system audit logs into provenance graphs that represent causal dependencies of attack events.Leveraging the powerful associative analysis and semantic representation capabilities of provenance graphs,complex and stealthy network attacks can be effectively investigated,yielding superior results compared to conven⁃tional methods.This paper offers a systematic review of the literature on provenance-graph-based attack investigation,cate⁃gorizing the diverse methodologies into three principal groups:causality analysis,deep representation learning,and anoma⁃ly detection.For each category,the paper succinctly presents the workflows and the core frameworks that underpin these methodologies.Additionally,it delves into the optimization techniques for provenance graphs and chronicles the evolution of these technologies from theoretical constructs to their application in industrial settings.This study methodically aggre⁃gates and reviews datasets prevalently utilized in attack investigation research,offering a comprehensive comparative analy⁃sis of representative techniques alongside their associated performance metrics,specifically within the ambit of provenance graph-based methodologies.Subsequently,it delineates the prospective directions for future research and development with⁃in this specialized field,thereby providing a structured roadmap for advancing the domain's academic and practical applica⁃tions.
作者
仇晶
陈荣融
朱浩瑾
肖岩军
殷丽华
田志宏
QIU Jing;CHEN Rong-rong;ZHU Hao-jin;XIAO Yan-jun;YIN Li-hua;TIAN Zhi-hong(Cyberspace Institute of Advanced Technology,Guangzhou University,Guangzhou,Guangdong 510555,China;Pengcheng Laboratory,Shenzhen,Guangdong 518000,China;Department of Computer Science and Engineering,Shanghai Jiao Tong University,Shanghai 200240,China;NSFOCUS Technologies Group Co.,Ltd,Guangzhou,Beijing 100089,China)
出处
《电子学报》
EI
CAS
CSCD
北大核心
2024年第7期2529-2556,共28页
Acta Electronica Sinica
基金
国家重点研发计划(No.2022ZD0119602)
国家自然科学基金(No.62272114)
鹏城实验室重大项目(No.PCL2022A03)
CCF-绿盟科技“鲲鹏”科研基金(No.CCF-NSFOCUS2023003)~~。
关键词
攻击调查
溯源图
高级持续性威胁
深度学习
异常检测
attack investigation
provenance graph
advanced persistent threat
deep learning
anomaly detection
