The continuous improvement of the cyber threat intelligence sharing mechanism provides new ideas to deal with Advanced Persistent Threats(APT).Extracting attack behaviors,i.e.,Tactics,Techniques,Procedures(TTP)from Cy...The continuous improvement of the cyber threat intelligence sharing mechanism provides new ideas to deal with Advanced Persistent Threats(APT).Extracting attack behaviors,i.e.,Tactics,Techniques,Procedures(TTP)from Cyber Threat Intelligence(CTI)can facilitate APT actors’profiling for an immediate response.However,it is difficult for traditional manual methods to analyze attack behaviors from cyber threat intelligence due to its heterogeneous nature.Based on the Adversarial Tactics,Techniques and Common Knowledge(ATT&CK)of threat behavior description,this paper proposes a threat behavioral knowledge extraction framework that integrates Heterogeneous Text Network(HTN)and Graph Convolutional Network(GCN)to solve this issue.It leverages the hierarchical correlation relationships of attack techniques and tactics in the ATT&CK to construct a text network of heterogeneous cyber threat intelligence.With the help of the Bidirectional EncoderRepresentation fromTransformers(BERT)pretraining model to analyze the contextual semantics of cyber threat intelligence,the task of threat behavior identification is transformed into a text classification task,which automatically extracts attack behavior in CTI,then identifies the malware and advanced threat actors.The experimental results show that F1 achieve 94.86%and 92.15%for the multi-label classification tasks of tactics and techniques.Extend the experiment to verify the method’s effectiveness in identifying the malware and threat actors in APT attacks.The F1 for malware and advanced threat actors identification task reached 98.45%and 99.48%,which are better than the benchmark model in the experiment and achieve state of the art.The model can effectivelymodel threat intelligence text data and acquire knowledge and experience migration by correlating implied features with a priori knowledge to compensate for insufficient sample data and improve the classification performance and recognition ability of threat behavior in text.展开更多
Network attack graphs are originally used to evaluate what the worst security state is when a concerned net-work is under attack. Combined with intrusion evidence such like IDS alerts, attack graphs can be further use...Network attack graphs are originally used to evaluate what the worst security state is when a concerned net-work is under attack. Combined with intrusion evidence such like IDS alerts, attack graphs can be further used to perform security state posterior inference (i.e. inference based on observation experience). In this area, Bayesian network is an ideal mathematic tool, however it can not be directly applied for the following three reasons: 1) in a network attack graph, there may exist directed cycles which are never permitted in a Bayesian network, 2) there may exist temporal partial ordering relations among intrusion evidence that can-not be easily modeled in a Bayesian network, and 3) just one Bayesian network cannot be used to infer both the current and the future security state of a network. In this work, we improve an approximate Bayesian posterior inference algorithm–the likelihood-weighting algorithm to resolve the above obstacles. We give out all the pseudocodes of the algorithm and use several examples to demonstrate its benefit. Based on this, we further propose a network security assessment and enhancement method along with a small network scenario to exemplify its usage.展开更多
Building attack scenario is one of the most important aspects in network security.This paper pro-posed a system which collects intrusion alerts,clusters them as sub-attacks using alerts abstraction,ag-gregates the sim...Building attack scenario is one of the most important aspects in network security.This paper pro-posed a system which collects intrusion alerts,clusters them as sub-attacks using alerts abstraction,ag-gregates the similar sub-attacks,and then correlates and generates correlation graphs.The scenarios wererepresented by alert classes instead of alerts themselves so as to reduce the required rules and have the a-bility of detecting new variations of attacks.The proposed system is capable of passing some of the missedattacks.To evaluate system effectiveness,it was tested with different datasets which contain multi-stepattacks.Compressed and easily understandable Correlation graphs which reflect attack scenarios were gen-erated.The proposed system can correlate related alerts,uncover the attack strategies,and detect newvariations of attacks.展开更多
分布式拒绝服务(Distributed Denial of Service,DDoS)攻击已经成为网络安全的主要威胁之一,其中应用层DDoS攻击是主要的攻击手段。应用层DDoS攻击是针对具体应用服务的攻击,其在网络层行为表现正常,传统安全设备无法有效抵御。同时,现...分布式拒绝服务(Distributed Denial of Service,DDoS)攻击已经成为网络安全的主要威胁之一,其中应用层DDoS攻击是主要的攻击手段。应用层DDoS攻击是针对具体应用服务的攻击,其在网络层行为表现正常,传统安全设备无法有效抵御。同时,现有的针对应用层DDoS攻击的检测方法检测能力不足,难以适应攻击模式的变化。为此,文章提出一种基于时空图神经网络(Spatio-Temporal Graph Neural Network,STGNN)的应用层DDoS攻击检测方法,利用应用层服务的特征,从应用层数据和应用层协议交互信息出发,引入注意力机制并结合多个GraphSAGE层,学习不同时间窗口下的实体交互模式,进而计算检测流量与正常流量的偏差,完成攻击检测。该方法仅利用时间、源IP、目的IP、通信频率、平均数据包大小5维数据便可有效识别应用层DDoS攻击。由实验结果可知,该方法在攻击样本数量较少的情况下,与对比方法相比可获得较高的Recall和F1分数。展开更多
针对目前RFID(Radio Frequency Identification,射频识别技术)系统安全分析中忽略攻击事件对系统安全状态动态影响的问题,为了有效实现RFID系统的安全风险评估,文章提出了一种基于贝叶斯攻击图的RFID系统安全评估模型。该模型首先通过对...针对目前RFID(Radio Frequency Identification,射频识别技术)系统安全分析中忽略攻击事件对系统安全状态动态影响的问题,为了有效实现RFID系统的安全风险评估,文章提出了一种基于贝叶斯攻击图的RFID系统安全评估模型。该模型首先通过对RFID系统结构、所用协议进行分析确定系统的脆弱性漏洞及其依赖关系,建立攻击图。针对攻击图模型只能进行定性分析的问题,构建出相应的攻击图模型结构后可以结合贝叶斯理论对其进行量化。依据漏洞的利用难易度和影响程度建立RFID漏洞量化评价指标,计算出对应的原子攻击概率,然后以条件转移概率的形式将攻击节点与RFID系统的安全属性节点联系在一起,不仅能推断攻击者能够成功到达各个属性节点的风险概率,而且能够依据攻击者的不同行为动态展示系统风险状况的变化,实现评估不同状态下目标RFID系统的整体风险状况。实验表明,所提模型可以有效地计算出RFID系统整体的风险概率,为后续实施对应的安全策略提供理论依据。展开更多
Early attack detection is essential to ensure the security of complex networks,especially those in critical infrastructures.This is particularly crucial in networks with multi-stage attacks,where multiple nodes are co...Early attack detection is essential to ensure the security of complex networks,especially those in critical infrastructures.This is particularly crucial in networks with multi-stage attacks,where multiple nodes are connected to external sources,through which attacks could enter and quickly spread to other network elements.Bayesian attack graphs(BAGs)are powerful models for security risk assessment and mitigation in complex networks,which provide the probabilistic model of attackers’behavior and attack progression in the network.Most attack detection techniques developed for BAGs rely on the assumption that network compromises will be detected through routine monitoring,which is unrealistic given the ever-growing complexity of threats.This paper derives the optimal minimum mean square error(MMSE)attack detection and monitoring policy for the most general form of BAGs.By exploiting the structure of BAGs and their partial and imperfect monitoring capacity,the proposed detection policy achieves the MMSE optimality possible only for linear-Gaussian state space models using Kalman filtering.An adaptive resource monitoring policy is also introduced for monitoring nodes if the expected predictive error exceeds a user-defined value.Exact and efficient matrix-form computations of the proposed policies are provided,and their high performance is demonstrated in terms of the accuracy of attack detection and the most efficient use of available resources using synthetic Bayesian attack graphs with different topologies.展开更多
基金supported by China’s National Key R&D Program,No.2019QY1404the National Natural Science Foundation of China,Grant No.U20A20161,U1836103the Basic Strengthening Program Project,No.2019-JCJQ-ZD-113.
文摘The continuous improvement of the cyber threat intelligence sharing mechanism provides new ideas to deal with Advanced Persistent Threats(APT).Extracting attack behaviors,i.e.,Tactics,Techniques,Procedures(TTP)from Cyber Threat Intelligence(CTI)can facilitate APT actors’profiling for an immediate response.However,it is difficult for traditional manual methods to analyze attack behaviors from cyber threat intelligence due to its heterogeneous nature.Based on the Adversarial Tactics,Techniques and Common Knowledge(ATT&CK)of threat behavior description,this paper proposes a threat behavioral knowledge extraction framework that integrates Heterogeneous Text Network(HTN)and Graph Convolutional Network(GCN)to solve this issue.It leverages the hierarchical correlation relationships of attack techniques and tactics in the ATT&CK to construct a text network of heterogeneous cyber threat intelligence.With the help of the Bidirectional EncoderRepresentation fromTransformers(BERT)pretraining model to analyze the contextual semantics of cyber threat intelligence,the task of threat behavior identification is transformed into a text classification task,which automatically extracts attack behavior in CTI,then identifies the malware and advanced threat actors.The experimental results show that F1 achieve 94.86%and 92.15%for the multi-label classification tasks of tactics and techniques.Extend the experiment to verify the method’s effectiveness in identifying the malware and threat actors in APT attacks.The F1 for malware and advanced threat actors identification task reached 98.45%and 99.48%,which are better than the benchmark model in the experiment and achieve state of the art.The model can effectivelymodel threat intelligence text data and acquire knowledge and experience migration by correlating implied features with a priori knowledge to compensate for insufficient sample data and improve the classification performance and recognition ability of threat behavior in text.
文摘Network attack graphs are originally used to evaluate what the worst security state is when a concerned net-work is under attack. Combined with intrusion evidence such like IDS alerts, attack graphs can be further used to perform security state posterior inference (i.e. inference based on observation experience). In this area, Bayesian network is an ideal mathematic tool, however it can not be directly applied for the following three reasons: 1) in a network attack graph, there may exist directed cycles which are never permitted in a Bayesian network, 2) there may exist temporal partial ordering relations among intrusion evidence that can-not be easily modeled in a Bayesian network, and 3) just one Bayesian network cannot be used to infer both the current and the future security state of a network. In this work, we improve an approximate Bayesian posterior inference algorithm–the likelihood-weighting algorithm to resolve the above obstacles. We give out all the pseudocodes of the algorithm and use several examples to demonstrate its benefit. Based on this, we further propose a network security assessment and enhancement method along with a small network scenario to exemplify its usage.
基金the National High Technology Research and Development Programme of China(2006AA01Z452)
文摘Building attack scenario is one of the most important aspects in network security.This paper pro-posed a system which collects intrusion alerts,clusters them as sub-attacks using alerts abstraction,ag-gregates the similar sub-attacks,and then correlates and generates correlation graphs.The scenarios wererepresented by alert classes instead of alerts themselves so as to reduce the required rules and have the a-bility of detecting new variations of attacks.The proposed system is capable of passing some of the missedattacks.To evaluate system effectiveness,it was tested with different datasets which contain multi-stepattacks.Compressed and easily understandable Correlation graphs which reflect attack scenarios were gen-erated.The proposed system can correlate related alerts,uncover the attack strategies,and detect newvariations of attacks.
文摘针对目前RFID(Radio Frequency Identification,射频识别技术)系统安全分析中忽略攻击事件对系统安全状态动态影响的问题,为了有效实现RFID系统的安全风险评估,文章提出了一种基于贝叶斯攻击图的RFID系统安全评估模型。该模型首先通过对RFID系统结构、所用协议进行分析确定系统的脆弱性漏洞及其依赖关系,建立攻击图。针对攻击图模型只能进行定性分析的问题,构建出相应的攻击图模型结构后可以结合贝叶斯理论对其进行量化。依据漏洞的利用难易度和影响程度建立RFID漏洞量化评价指标,计算出对应的原子攻击概率,然后以条件转移概率的形式将攻击节点与RFID系统的安全属性节点联系在一起,不仅能推断攻击者能够成功到达各个属性节点的风险概率,而且能够依据攻击者的不同行为动态展示系统风险状况的变化,实现评估不同状态下目标RFID系统的整体风险状况。实验表明,所提模型可以有效地计算出RFID系统整体的风险概率,为后续实施对应的安全策略提供理论依据。
基金supported in part by the National Science Foundation award IIS-2202395ARMY Research Office award W911NF2110299Oracle Cloud credits and related resources provided by the Oracle for Research program.
文摘Early attack detection is essential to ensure the security of complex networks,especially those in critical infrastructures.This is particularly crucial in networks with multi-stage attacks,where multiple nodes are connected to external sources,through which attacks could enter and quickly spread to other network elements.Bayesian attack graphs(BAGs)are powerful models for security risk assessment and mitigation in complex networks,which provide the probabilistic model of attackers’behavior and attack progression in the network.Most attack detection techniques developed for BAGs rely on the assumption that network compromises will be detected through routine monitoring,which is unrealistic given the ever-growing complexity of threats.This paper derives the optimal minimum mean square error(MMSE)attack detection and monitoring policy for the most general form of BAGs.By exploiting the structure of BAGs and their partial and imperfect monitoring capacity,the proposed detection policy achieves the MMSE optimality possible only for linear-Gaussian state space models using Kalman filtering.An adaptive resource monitoring policy is also introduced for monitoring nodes if the expected predictive error exceeds a user-defined value.Exact and efficient matrix-form computations of the proposed policies are provided,and their high performance is demonstrated in terms of the accuracy of attack detection and the most efficient use of available resources using synthetic Bayesian attack graphs with different topologies.