一种基于攻击图的高级持续威胁检测方法  被引量：1

作　　者：高庆官 张博 付安民[3] GAO Qingguan;ZHANG Bo;FU Anmin(School of Computer Science and Engineering,Southeast University,Nanjing 211189,China;Nanjing Saining Information Technology Co.,Ltd.,Nanjing 211100,China;School of Computer Science and Engineering,Nanjing University of Science and Technology,Nanjing 210094,China)

机构地区：[1]东南大学计算机科学与工程学院,南京211189 [2]南京赛宁信息技术有限公司,南京211100 [3]南京理工大学计算机科学与工程学院,南京210094

出　　处：《信息网络安全》2023年第12期59-68,共10页Netinfo Security

基　　金：国家自然科学基金[62072239];江苏省自然科学基金[BK20211192];江苏省未来网络科研基金[FNSRFP-2021-ZD-05]。

摘　　要：针对传统入侵检测工具无法检测高级持续威胁(Advanced Persistent Threat,APT)攻击和威胁警报疲劳问题,文章提出一种基于攻击图的APT检测方法 ADBAG(APT Detection Based on Attack Graph),该方法根据网络拓扑、漏洞报告等信息生成攻击图,并利用攻击图对攻击者行为进行预先分析,有效解决了威胁警报疲劳问题。文章结合ATT&CK(Adversarial Tactics,Techniques and Common Knowledge)模型和APT攻击三相检测模型,设计了一种缺失路径匹配评分算法,从攻击全局角度分析和检测APT攻击。同时,设计了基于灰名单的多攻击实体关联方法,以保证生成的APT攻击证据链的准确性。在公开数据集上进行实验,实验结果表明,ADBAG可以有效检测APT攻击,并能够检测基于零日漏洞的APT攻击,进一步定位攻击影响范围。Aiming at the problem that traditional intrusion detection tools can’t detect advanced persistent threat(APT)attacks and threat alert fatigue,this paper proposed an advanced persistent threat detection method based on attack graph,which generated attack graph according to network topology,vulnerability report and other information to analyze the attacker’s behavior in advance,which effectively combated the threat alert fatigue problem.Combining adversarial tactics,techniques and common knowledge(ATT&CK)model and APT attack three-phase detection model,a scoring algorithm for missing path matching was designed to analyze and detect APT attacks from the global perspective.At the same time,a multi-attack entity association method based on grey list was designed to ensure the accuracy of the generated APT attack evidence chain.In this paper,experiments were carried out on public data sets,and the results show that ADBAG can effectively detect APT attacks and APT attacks that exploit zero-day vulnerabilities,and further locate the scope of attacks.

关 键 词：入侵检测 威胁检测 APT攻击 攻击图 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]