一种基于图模型的网络攻击溯源方法  被引量：21

作　　者：黄克振 连一峰[1] 冯登国[1] 张海霞[1] 吴迪 马向亮 HUANG Ke-Zhen;LIAN Yi-Feng;FENG Deng-Guo;ZHANG Hai-Xia;WU Di;MA Xiang-Liang(Trusted Computing and Information Assurance Laboratory,Institute of Software,Chinese Academy of Sciences,Beijing 100190,China;University of Chinese Academy of Sciences,Beijing 100049,China;China Cybersecurity Review Technology and Certification Center,Beijing 100020,China;School of Integrated Circuits,Tsinghua University,Beijing 100084,China)

机构地区：[1]中国科学院软件研究所可信计算与信息保障实验室,北京100190 [2]中国科学院大学,北京100049 [3]中国网络安全审查技术与认证中心,北京100020 [4]清华大学集成电路学院,北京100084

出　　处：《软件学报》2022年第2期683-698,共16页Journal of Software

基　　金：国家重点研发计划(2020YFB1806504,2018YFC0824801)。

摘　　要：随着信息技术的飞速发展,网络攻击事件频发,造成了日益严重的经济损失或社会影响.为了减少损失或预防未来潜在的攻击,需要对网络攻击事件进行溯源以实现对攻击者的挖掘追责.当前的溯源过程主要依赖于人工完成,效率低下.面对日益增加的海量溯源数据和日趋全面的溯源建模分析维度,亟需半自动化或自动化的网络攻击者挖掘方法.提出一种基于图模型的网络攻击溯源方法,建立网络攻击事件溯源本体模型,融合网络攻击事件中提取的线索数据和威胁情报数据,形成网络攻击事件溯源关系图;引入图嵌入算法自动学习嵌有关联线索特征的网络攻击事件特征向量,进而利用历史网络攻击事件特征向量训练SVM(support vector machine)分类器,并基于SVM分类器完成网络攻击者的挖掘溯源;最后,通过实验验证了该方法的可行性和有效性.With the rapid development of technologies such as computers and smart devices,cyber attack incidents happen frequently,which cause increasingly serious economic losses or reputation losses.In order to reduce losses and prevent future potential attacks,it is necessary to trace the source of cyber attack incidents to achieve accountability for the attackers.The attribution of cyber attackers is mainly a manual process by forensic analyst.Faced with increasing analysis data and analysis dimensions,semi-automated or automated cyber attackers mining analysis methods are urgently needed.This study proposes a graph model-based attacker mining analysis method for cyber attack incidents.This method first establishes an ontology model for cyber attack incident attribution,and then fuses clue data extracted from cyber attack incidents with various threat intelligence data to construct a cyber attack incidents attribution relationship graph.The graph embedding algorithm automatically learns the representation vector of cyber attack incidents,which embedded clue characteristics of cyber attack incidents,from the attribution relationship graph of cyber attack incidents.And then a classifier is trained with the historical cyber attack incidents representation vector,which classifies the cyber attack incident to one cyber attacker.Finally,the feasibility and effectiveness of the method are verified by experiments.

关 键 词：网络攻击事件 网络攻击者 溯源 网络攻击事件溯源 关系图 图嵌入 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]