基于攻击上下文分析的多阶段攻击趋势预测  被引量：1

作　　者：朱光明 卢梓杰 冯家伟 张向东[2] 张锋军[3] 牛作元[3] 张亮[1] ZHU Guang-ming;LU Zi-jie;FENG Jia-wei;ZHANG Xiang-dong;ZHANG Feng-jun;NIU Zuo-yuan;ZHANG Liang(School of Computer Science and Technology,Xidian University,Xi’an 710071,China;School of Communication Engineering,Xidian University,Xi’an 710071,China;The 30th Research Institute of China Electronics Technology Group Corporation,Chengdu 610041,China)

机构地区：[1]西安电子科技大学计算机科学与技术学院,陕西西安710071 [2]西安电子科技大学通信工程学院,陕西西安710071 [3]中国电子科技集团公司第三十研究所,四川成都610041

出　　处：《计算机技术与发展》2023年第7期104-110,共7页Computer Technology and Development

基　　金：国家重点研发计划(2020YFF0304900)。

摘　　要：高级可持续威胁(Advanced Persistent Threat,APT)等多阶段攻击具有复杂多样性和隐蔽持续性的特点,给网络安全带来了极大的威胁。研究攻击方的攻击策略并对其后续攻击步骤进行预测,是防御方的一个重要研究课题。针对多阶段攻击趋势预测难的问题,该文提出了基于攻击上下文分析的多阶段攻击趋势预测算法,从系统日志中梳理攻击上下文并对后续的攻击趋势进行预测。该算法先通过因果图构建、异常日志序列提取、抽象文本表示等步骤实现对已有攻击上下文的分析,然后基于已经检测到的攻击序列,利用Transformer模型对后续攻击趋势进行预测。在开源的ATLAS数据集和HDFS数据集上对算法进行了验证。在ATLAS数据集的超过7000个序列中,该算法的单步预测准确率可达90%以上,五步预测准确率也能达到74%。实验表明基于攻击上下文分析的攻击趋势预测是一种可行的方法,为网络攻击预测研究提供了一种新思路。Multi-stage attacks,such as Advanced Persistent Threat(APT),have the characteristics of complex diversity and concealment persistence,and pose a great threat to the network security.Therefore,to study the attack strategies of attackers and predict the subsequent attack steps is still an important research topic for defenders.In order to overcome the difficulty to predict the trend of multi-stage attacks,we propose a multi-stage attack trend prediction algorithm based on the attack context analysis,which analyzes the attack context from the system logs and predicts the subsequent attack steps.The proposed algorithm firstly fulfills the attach context analysis through the construction of causal graphs,the extraction of abnormal log sequences and the abstract text representation.Then,the subsequent attack steps are predicted using the Transformer-based model based on the detected attack sequences.The proposed algorithm has been evaluated on the released ATLAS dataset and HDFS dataset,and it has achieved the accuracy of more than 90%on one-step prediction and the accuracy of 74%on five-step prediction,among the more than 7000 sequences of ATLAS.The experiments demonstrate that it is practicable and reasonable to predict the trend of multi-stage attacks based on the attack context analysis.This also supplies a new idea for researches on network attack prediction.

关 键 词：网络安全 因果图 攻击预测 自然语言处理 TRANSFORMER 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]