基于随机博弈网的窃密木马诱导式博弈模型  

作　　者：郭钰铮 郭春[1,2] 崔允贺[1,2] 李显超 GUO Yuzheng;GUO Chun;CUI Yunhe;LI Xianchao(College of Computer Science and Technology,Guizhou University,Guiyang 550025,China;Engineering Research Center for Text Computing and Cognitive Intelligence,Ministry of Education,Guiyang 550025,China)

机构地区：[1]贵州大学计算机科学与技术学院,贵阳550025 [2]文本计算与认知智能教育部工程研究中心,贵阳550025

出　　处：《信息网络安全》2024年第8期1241-1251,共11页Netinfo Security

基　　金：国家自然科学基金[62162009,62102111];贵州省高等学校大数据与网络安全创新团队[黔教技[2023]052];贵州省科技计划项目[黔科合平台人才GHB[2023]001]。

摘　　要：为实现长期窃取信息的目的,窃密木马通常采用触发执行策略来实施其恶意行为,使得其恶意行为的执行具有高隐蔽性和不确定性。主流的窃密木马防御模型采用被动监测窃密木马行为并加以检测的被动防御策略,容易出现漏报和检测不及时的情况。为了提升窃密木马防御模型的防御效果,文章引入诱导操作以构建窃密木马诱导式防御策略,并使用随机博弈网对窃密木马和防御方的攻防对抗过程进行建模分析,构建了IGMDT-SGN。IGMDT-SGN直观揭示了防御方运用诱导式防御策略来对抗窃密木马的策略性逻辑和时序关系。通过模型量化计算对IGMDT-SGN中诱导式防御策略的防御效果进行定量分析,结果表明,窃密木马诱导式防御策略在防御成功率、防御平均时间上优于窃密木马被动防御策略,可为窃密木马的防御提供有益参考。To achieve the long-term goal of information theft,data-stealing Trojans typically employ the trigger execution strategy,providing high concealment and uncertainty in the execution of their malicious actions.The mainstream defense model against data-stealing Trojans adopts a passive defense strategy that involves monitoring and detecting the behavior of these Trojans,but is prone to omissions and delayed detection.To improve the defense effectiveness,this paper introduced the concept of inducement operation to construct an inducement-based defense strategy targeting data-stealing Trojans.Using stochastic game nets,this paper modeled and analyzed the confrontation process between the data-stealing Trojans and defenders,resulting in the development of the Inducement Game Model of Data-Stealing Trojan(IGMDT-SGN).IGMDT-SGN provides a clear illustration of the strategic logic and temporal dynamics of employing the inducement defense strategy against these Trojans.Quantitative analysis conducted through model calculations shows that the inducement defense strategy,as presented in IGMDT-SGN,outperforms the passive defense strategy in terms of defense success rate and average defense time.This finding provides useful guidance for defending against data-stealing Trojans.

关 键 词：窃密木马 博弈模型 诱导操作 随机博弈网 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]