摘要
针对企业内部业务逻辑固定、进出网络访问行为受控等特点,首先定义了2类共4种异常行为,然后提出了基于网络通信异常识别的多步攻击检测方法。针对异常子图和异常通信边2类异常,分别采用基于图的异常分析和小波分析方法识别网络通信过程中的异常行为,并通过异常关联分析检测多步攻击。分别在DARPA 2000数据集和LANL数据集上进行实验验证,实验结果表明,所提方法可以有效检测并重构出多步攻击场景。所提方法可有效监测包括未知特征攻击类型在内的多步攻击,为检测APT等复杂的多步攻击提供了一种可行思路,并且由于网络通信图大大减小了数据规模,因此适用于大规模企业网络环境。
In view of the characteristics of internal fixed business logic, inbound and outbound network access behavior, two classes and four kinds of abnormal behaviors were defined firstly, and then a multi-step attack detection method was proposed based on network communication anomaly recognition. For abnormal sub-graphs and abnormal communication edges detection, graph-based anomaly analysis and wavelet analysis method were respectively proposed to identify abnormal behaviors in network communication, and detect multi-step attacks through anomaly correlation analysis. Experiments are carried out on the DARPA 2000 data set and LANL data set to verify the results. The experimental results show that the proposed method can effectively detect and reconstruct multi-step attack scenarios. The proposed method can effectively monitor multi-step attacks including unknown feature types. It provides a feasible idea for detecting complex multi-step attack patterns such as APT. And the network communication graph greatly reduces the data size, it is suitable for large-scale enterprise network environments.
引文
[1]NAVARRO J,DERUYVER A,PARREND P.A systematic survey on multi-step attack detection[J].Computers&Security,2018,76(6):214-249.
[2]王莉.网络多步攻击识别方法研究[D].武汉:华中科技大学,2007.WANG L.Study on method of network multi-stage attack plan recognition[D].Wuhan:Huazhong University of Science and Technology,2007.
[3]GREGORIO-DE S I,BERK V H,GIANI A,et al.Detection of complex cyber attacks[C]//Sensors,and Command,Control,Communications,and Intelligence(C3I)Technologies for Homeland Security and Homeland Defense V.International Society for Optics and Photonics,2006:6201-6209.
[4]CHEN P,DESMET L,HUYGENS C.Study on advanced persistent threats[M].Berlin:Springer,2014:63-72.
[5]MA Z,SMITH P.Determining risks from advanced multi-step attacks to critical information infrastructures[C]//International Workshop on Critical Information Infrastructures Security.Springer,2013:142-154.
[6]HOLGADO P,VILLAGRA V A,VAZQUEZ L.Real-time multistep attack prediction based on hidden Markov models[J].IEEE Transactions on Dependable&Secure Computing,2017,PP(99):1.
[7]刘威歆,郑康锋,武斌,等.基于攻击图的多源告警关联分析方法[J].通信学报,2015,36(9):135-144.LIU W X,ZHENG K D,WU B,et al.Alert processing based on attack graph and multi-source analyzing[J].Journal on Communications,2015,36(9):135-144.
[8]ELSHOUSH H T,OSMAN I M.Alert correlation in collaborative intelligent intrusion detection systems-a survey[J].Applied Soft Computing,2011,11(7):4349-4365.
[9]WANG L,ISLAM T,LONG T,et al.Attack graph-based probabilistic security metric[C]//XXII,IFIP WG 11.3 Working Conference on Data and Applications Security.DBLP,2008:283-296.
[10]AKOGLU L,TONG H,KOUTRA D.Graph based anomaly detection and description:a survey[J].Data Mining and Knowledge Discovery,2015,29(3):626-688.
[11]HUTCHINS E M,CLOPPERT M J,AMIN R M.Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains[J].Leading Issues in Information Warfare&Security Research,2011,1(1):80.
[12]KIM Y H,PARK W H.A study on cyber threat prediction based on intrusion detection event for APT attack detection[J].Multimedia Tools and Applications,2014,71(2):685-698.
[13]NEIL J,HASH C,BRUGH A,et al.Scan statistics for the online detection of locally anomalous subgraphs[J].Technometrics,2013,55(4):403-414.
[14]NEIL J,STORLIE C.Statistical detection of intruders within computer networks using scan statistics[M].London:Imperial College Press,2014:71-104.
[15]钱叶魁,陈鸣,叶立新,等.基于多尺度主成分分析的全网络异常检测方法[J].软件学报,2012(2):361-377.QIAN Y Q,CHEN M,YE L X,et al.Network-wide anomaly detection method based on multiscale principal component analysis[J].Journal of Software,2012(2):361-377.
[16]MCHUGH J.Testing intrusion detection systems:a critique of the1998 and 1999 DARPA intrusion detection system evaluations as performed by lincoln laboratory[J].ACM Transactions on Information and System Security,2000,3(4):262-294.
[17]KENT A D.Cyber security data sources for dynamic network research[M].World Scientific Publishing.2016:37-65.
[18]CSUBáK D,SZüCS K,V?R?S P,et al.big data testbed for network attack detection[J].Acta Polytechnica Hungarica,2016,13(2):47-57.